[plug] grep -v on subnets

Thomas Cuthbert tcuthbert90 at gmail.com
Tue Mar 15 23:49:04 AWST 2022

I use rgxg on a daily basis for grepping firewall rules and logs. Before
that I used grepcidr but didn't like how it was a standalone grep tool.
rgxg just generates the regex string so you can use it in sed/awk/grep.
Anything more advanced I'd look at tokenizing addresses into arrays or use
perl -e/python -c standard ip modules.

If you want to get a list of blocks owned by an organisation you can query
Arins whois service or query an internet routing registry like radb.


On Sat, 12 Mar 2022, 9:47 am Brad Campbell, <brad at fnarfbargle.com> wrote:

> G'day all,
> I've knocked up a simple log processor in bash to dump ip addresses that
> access our zimbra server on a daily basis.
> It's not pretty but it works :
> LIST=`zcat $LOGNOW | \
>         grep -o 'oip=[^;]*' | \
>         sed 's/oip=//g' | \
>         sort | \
>         uniq | \
>         egrep -v '(^192.168.|^10.8.)' `
> At the moment it gives me a list like :
> That is yesterdays list and are all Telstra mobile CGNAT addresses. I'd
> like to be able to filter those based on the known telstra subnets and just
> leave the outliers (like the continuous stream of Russian bots hitting the
> EWS port scanning for Exchange vulnerabilities)
> What I'd like to be able to do is replace the final egrep with something
> that can handle subnets (and a list of them), for example :,
> Before I converted the whole thing to python and implemented subnet
> filtering I thought I'd ask and see if anyone has something clever they've
> used/seen.
> Regards,
> Brad
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20220315/0e170c87/attachment.html>

More information about the plug mailing list