[plug] grep -v on subnets

Thomas Cuthbert tcuthbert90 at gmail.com
Tue Mar 15 23:49:04 AWST 2022 

I use rgxg on a daily basis for grepping firewall rules and logs. Before
that I used grepcidr but didn't like how it was a standalone grep tool.
rgxg just generates the regex string so you can use it in sed/awk/grep.
Anything more advanced I'd look at tokenizing addresses into arrays or use
perl -e/python -c standard ip modules.

If you want to get a list of blocks owned by an organisation you can query
Arins whois service or query an internet routing registry like radb.

https://rgxg.github.io/
https://www.radb.net/support/tutorials/how-to-query-merit-radb.html


On Sat, 12 Mar 2022, 9:47 am Brad Campbell, <brad at fnarfbargle.com> wrote:

> G'day all,
>
> I've knocked up a simple log processor in bash to dump ip addresses that
> access our zimbra server on a daily basis.
>
> It's not pretty but it works :
>
> LIST=`zcat $LOGNOW | \
>         grep -o 'oip=[^;]*' | \
>         sed 's/oip=//g' | \
>         sort | \
>         uniq | \
>         egrep -v '(^192.168.|^10.8.)' `
>
> At the moment it gives me a list like :
> 1.126.106.244
> 1.126.109.132
> 1.146.128.86
> 1.146.135.178
> 1.146.167.203
> 1.146.169.253
> 1.146.174.225
> 1.146.175.139
>
> That is yesterdays list and are all Telstra mobile CGNAT addresses. I'd
> like to be able to filter those based on the known telstra subnets and just
> leave the outliers (like the continuous stream of Russian bots hitting the
> EWS port scanning for Exchange vulnerabilities)
>
> What I'd like to be able to do is replace the final egrep with something
> that can handle subnets (and a list of them), for example : 1.128.0.0/11,
> 1.120.0.0/13, 192.168.0.0/16, 10.0.0.0/8
>
> Before I converted the whole thing to python and implemented subnet
> filtering I thought I'd ask and see if anyone has something clever they've
> used/seen.
>
> Regards,
> Brad
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20220315/0e170c87/attachment.html>

More information about the plug mailing list