[plug] grep -v on subnets

Onno Benschop onno at itmaze.com.au
Sat Mar 12 13:47:22 AWST 2022


Use a <() process substitution construct to feed the patterns from an
external file.

--
finger painting on glass is an inexact art - apologies for any errors in
this scra^Hibble

()/)/)() ..ASCII for Onno..

On Sat, 12 Mar 2022, 09:47 Brad Campbell, <brad at fnarfbargle.com> wrote:

> G'day all,
>
> I've knocked up a simple log processor in bash to dump ip addresses that
> access our zimbra server on a daily basis.
>
> It's not pretty but it works :
>
> LIST=`zcat $LOGNOW | \
>         grep -o 'oip=[^;]*' | \
>         sed 's/oip=//g' | \
>         sort | \
>         uniq | \
>         egrep -v '(^192.168.|^10.8.)' `
>
> At the moment it gives me a list like :
> 1.126.106.244
> 1.126.109.132
> 1.146.128.86
> 1.146.135.178
> 1.146.167.203
> 1.146.169.253
> 1.146.174.225
> 1.146.175.139
>
> That is yesterdays list and are all Telstra mobile CGNAT addresses. I'd
> like to be able to filter those based on the known telstra subnets and just
> leave the outliers (like the continuous stream of Russian bots hitting the
> EWS port scanning for Exchange vulnerabilities)
>
> What I'd like to be able to do is replace the final egrep with something
> that can handle subnets (and a list of them), for example : 1.128.0.0/11,
> 1.120.0.0/13, 192.168.0.0/16, 10.0.0.0/8
>
> Before I converted the whole thing to python and implemented subnet
> filtering I thought I'd ask and see if anyone has something clever they've
> used/seen.
>
> Regards,
> Brad
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20220312/a339eff0/attachment.html>


More information about the plug mailing list