Threat Level: Infocon green

Linux Kernel Logs

Regular Expression to parse KERNEL style logs

sub parse_line {
    my $line;
    my ($month,$day,$date,$action,$proto,$source,$sourceport,$target,$targetport);
    ($month,$day,$action,$proto,$source,$sourceport,$target,$targetport) =
        /(\w+) +(\d+) \d\d:\d\d:\d\d \w+ kernel: Packet log: \w+ (\w+) \w+ PROTO=(\d+) (\d+\.\d+\.\d+.\d+):(\d+) (\d+\.\d+\.\d+.\d+):(\d+)/i;
#        Month  day      HH:MM:SS hostname                chain act. if      protocol     sourceip     s.port     targetip       t.port
    $month=$Months{uc($month)};
    $proto=getprotobyname($proto) unless $proto=~/\d/;
    if ( $month && $day && $source && $sourceport && $target && $targetport && $proto && ($action ne 'ACCEPT')  ) {
        $line= "$year-$month-$day\t$author\t%%COUNT%%\t$source\t$sourceport\t$target\t$targetport\t$proto\n";
    }
    return $line;
};
site/port/ip search:

Get ISC Swag!!

Advertisment

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Apple Security Advisory 2012-001 v1.1 - by: Scott Fendley (2012-02-04)

Critical PHP bug patched - by: Johannes Ullrich (2012-02-03)

Sophos 2012 Security Threat Report - by: Guy Bruneau (2012-02-03)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute