Using Awk to Search Bro Log for IPs/Keywords Found in Online Text File












1















I am examining Bro logs and would like to find a way to use AWK to grab IPs from a tracker link and search the Bro logs for those IPs automatically, printing the results of each match into [custom-name].txt file.



MORE INFO:



I am new to awk but trying to piece things together. I am not beholden to awk if there is a better way to do this. Efficient would be good.



Right now I am manually using an Excel function to concatenate the column of bad IPs (which are updated regularly from the link) into a super long awk OR string:



cat http* | awk '/123.456.789.012/ || /2nd IP/ || /3rd IP/' | sort -n > file.txt


Currently, the http.log has the normal Bro headers... TS UID ID.orig_h ID.orig_p etc.



In layman's terms, what I'm trying to do is:




If the IP on line 1 of link is found in http.log, print results to line_1_ip.txt, If the IP on line 2 of link is found in http.log, print results to line_2_ip.txt, et al.




A snippet of the IPs would look like:



#############################################################################################

# abuse.ch ZeuS IP blocklist "BadIPs" (excluding hijacked sites and free hosting providers) #

#                                                                                           #

# For questions please refer to https://zeustracker.abuse.ch/blocklist.php                  #

#############################################################################################



103.230.84.239

103.241.0.100

103.26.128.84

103.4.52.150

103.7.59.135

104.218.48.99

104.219.232.12

104.236.55.19

107.150.58.84

108.61.193.211


It is just a text file.



When it comes to actually referencing a remote webpage to pull IPs from, I am honestly not sure where to even start. But if I can get it to pull from a local text file, that will give me a starting point from which to work.






text-processing awk bro







share|improve this question




















  • 2





    What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

    – Mat
    May 2 '15 at 7:52











  • Is it need to be with awk? The same can be done with sample for loop and grep

    – Romeo Ninov
    May 2 '15 at 8:06








  • 1





    Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

    – terdon
    May 2 '15 at 9:03











  • @terdon, I have updated the post. Please advise if you still need more information.

    – user112802
    May 3 '15 at 8:42











  • That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

    – terdon
    May 4 '15 at 13:07


















1















I am examining Bro logs and would like to find a way to use AWK to grab IPs from a tracker link and search the Bro logs for those IPs automatically, printing the results of each match into [custom-name].txt file.



MORE INFO:



I am new to awk but trying to piece things together. I am not beholden to awk if there is a better way to do this. Efficient would be good.



Right now I am manually using an Excel function to concatenate the column of bad IPs (which are updated regularly from the link) into a super long awk OR string:



cat http* | awk '/123.456.789.012/ || /2nd IP/ || /3rd IP/' | sort -n > file.txt


Currently, the http.log has the normal Bro headers... TS UID ID.orig_h ID.orig_p etc.



In layman's terms, what I'm trying to do is:




If the IP on line 1 of link is found in http.log, print results to line_1_ip.txt, If the IP on line 2 of link is found in http.log, print results to line_2_ip.txt, et al.




A snippet of the IPs would look like:



#############################################################################################

# abuse.ch ZeuS IP blocklist "BadIPs" (excluding hijacked sites and free hosting providers) #

#                                                                                           #

# For questions please refer to https://zeustracker.abuse.ch/blocklist.php                  #

#############################################################################################



103.230.84.239

103.241.0.100

103.26.128.84

103.4.52.150

103.7.59.135

104.218.48.99

104.219.232.12

104.236.55.19

107.150.58.84

108.61.193.211


It is just a text file.



When it comes to actually referencing a remote webpage to pull IPs from, I am honestly not sure where to even start. But if I can get it to pull from a local text file, that will give me a starting point from which to work.






text-processing awk bro







share|improve this question




















  • 2





    What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

    – Mat
    May 2 '15 at 7:52











  • Is it need to be with awk? The same can be done with sample for loop and grep

    – Romeo Ninov
    May 2 '15 at 8:06








  • 1





    Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

    – terdon
    May 2 '15 at 9:03











  • @terdon, I have updated the post. Please advise if you still need more information.

    – user112802
    May 3 '15 at 8:42











  • That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

    – terdon
    May 4 '15 at 13:07
















1












1








1








I am examining Bro logs and would like to find a way to use AWK to grab IPs from a tracker link and search the Bro logs for those IPs automatically, printing the results of each match into [custom-name].txt file.



MORE INFO:



I am new to awk but trying to piece things together. I am not beholden to awk if there is a better way to do this. Efficient would be good.



Right now I am manually using an Excel function to concatenate the column of bad IPs (which are updated regularly from the link) into a super long awk OR string:



cat http* | awk '/123.456.789.012/ || /2nd IP/ || /3rd IP/' | sort -n > file.txt


Currently, the http.log has the normal Bro headers... TS UID ID.orig_h ID.orig_p etc.



In layman's terms, what I'm trying to do is:




If the IP on line 1 of link is found in http.log, print results to line_1_ip.txt, If the IP on line 2 of link is found in http.log, print results to line_2_ip.txt, et al.




A snippet of the IPs would look like:



#############################################################################################

# abuse.ch ZeuS IP blocklist "BadIPs" (excluding hijacked sites and free hosting providers) #

#                                                                                           #

# For questions please refer to https://zeustracker.abuse.ch/blocklist.php                  #

#############################################################################################



103.230.84.239

103.241.0.100

103.26.128.84

103.4.52.150

103.7.59.135

104.218.48.99

104.219.232.12

104.236.55.19

107.150.58.84

108.61.193.211


It is just a text file.



When it comes to actually referencing a remote webpage to pull IPs from, I am honestly not sure where to even start. But if I can get it to pull from a local text file, that will give me a starting point from which to work.






text-processing awk bro







share|improve this question
















I am examining Bro logs and would like to find a way to use AWK to grab IPs from a tracker link and search the Bro logs for those IPs automatically, printing the results of each match into [custom-name].txt file.



MORE INFO:



I am new to awk but trying to piece things together. I am not beholden to awk if there is a better way to do this. Efficient would be good.



Right now I am manually using an Excel function to concatenate the column of bad IPs (which are updated regularly from the link) into a super long awk OR string:



cat http* | awk '/123.456.789.012/ || /2nd IP/ || /3rd IP/' | sort -n > file.txt


Currently, the http.log has the normal Bro headers... TS UID ID.orig_h ID.orig_p etc.



In layman's terms, what I'm trying to do is:




If the IP on line 1 of link is found in http.log, print results to line_1_ip.txt, If the IP on line 2 of link is found in http.log, print results to line_2_ip.txt, et al.




A snippet of the IPs would look like:



#############################################################################################

# abuse.ch ZeuS IP blocklist "BadIPs" (excluding hijacked sites and free hosting providers) #

#                                                                                           #

# For questions please refer to https://zeustracker.abuse.ch/blocklist.php                  #

#############################################################################################



103.230.84.239

103.241.0.100

103.26.128.84

103.4.52.150

103.7.59.135

104.218.48.99

104.219.232.12

104.236.55.19

107.150.58.84

108.61.193.211


It is just a text file.



When it comes to actually referencing a remote webpage to pull IPs from, I am honestly not sure where to even start. But if I can get it to pull from a local text file, that will give me a starting point from which to work.






text-processing awk bro




text-processing awk bro






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago









Glorfindel

3051411




3051411










asked May 2 '15 at 7:43









user112802user112802

76117




76117








  • 2





    What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

    – Mat
    May 2 '15 at 7:52











  • Is it need to be with awk? The same can be done with sample for loop and grep

    – Romeo Ninov
    May 2 '15 at 8:06








  • 1





    Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

    – terdon
    May 2 '15 at 9:03











  • @terdon, I have updated the post. Please advise if you still need more information.

    – user112802
    May 3 '15 at 8:42











  • That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

    – terdon
    May 4 '15 at 13:07
















  • 2





    What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

    – Mat
    May 2 '15 at 7:52











  • Is it need to be with awk? The same can be done with sample for loop and grep

    – Romeo Ninov
    May 2 '15 at 8:06








  • 1





    Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

    – terdon
    May 2 '15 at 9:03











  • @terdon, I have updated the post. Please advise if you still need more information.

    – user112802
    May 3 '15 at 8:42











  • That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

    – terdon
    May 4 '15 at 13:07










2




2





What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

– Mat
May 2 '15 at 7:52





What is the format of those log files? What output do you expect exactly? Show us what you've got so far too so we can help you make it work.

– Mat
May 2 '15 at 7:52













Is it need to be with awk? The same can be done with sample for loop and grep

– Romeo Ninov
May 2 '15 at 8:06







Is it need to be with awk? The same can be done with sample for loop and grep

– Romeo Ninov
May 2 '15 at 8:06






1




1





Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

– terdon
May 2 '15 at 9:03





Please edit your question and i) include a sample of your tracker file (don't expect us to open random links in order to hep you. You can use the formatting tools to format it as code; ii) include a sample of these "Bro logs"; iii) show us the output you would like to have from those files; iv) show us what you've tried so far so we don't give you the same solutions and so we know you've actually put some effort into it and don't expect other people ti just do your work for you. If you edit to add all these, your question can be reopened.

– terdon
May 2 '15 at 9:03













@terdon, I have updated the post. Please advise if you still need more information.

– user112802
May 3 '15 at 8:42





@terdon, I have updated the post. Please advise if you still need more information.

– user112802
May 3 '15 at 8:42













That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

– terdon
May 4 '15 at 13:07







That's much better, thanks. Also, it wasn't an issue with the specific link you posted, we just like to have all information needed to answer the question here. Could you also show us an example of your BRO logs? What are the http* files you are cating? Are those the logs?

– terdon
May 4 '15 at 13:07












2 Answers
2






active

oldest

votes


















0














I'm not entirely sure on what you want to parse since I haven't seen the input format but, if you just want to read a list of IPs and print to the corresponding output file, you could try this:



awk 'NR==FNR{a[$1]=NR; next} {

    for(ip in a){ 

        if($0~ip){ 

            print >> "line_"a[ip]"_ip.txt" 

        } 

    }

}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null | 

    grep -Ev "#|^ *$") http.log


That's a little complex though, so let's break it down:





  • wget -O - https://zeustracker.abuse.ch/blocklist.php?download=badips 2>/dev/null | grep -Ev "#|^ *$" : this will download the list of IPs, remove any lines that contain # or are empty and print to standard output.


  • <(command) : This is called process substitution and is a trick that some shells (bash, zsh and ksh, but maybe others as well) have which enables you to treat the output of a process as an input file to another command.

  • So, the awk snipet sees two "files", the first is the output of the wget command piped trough grep and the second is the http.log file.


  • NR==FNR{a[$1]=NR; next} : NR is the current input line number and FNR is the same but of the current file. The two will be equal only while the first file is being read. This will, therefore, create the array a whose keys are the IPs and whose value is the current line number.


  • for(ip in a) : iterate over the a array, saving each of its keys (the IPs) as ip.


  • if($0~ip){} : if this line ($0) matches this ip.


  • print >> "line_"a[ip]"_ip.txt" : print the line into a file called line_, the number of the input line where this IP was seen and _ip.txt. The >> ensures that the file appended to and not overwritten.






share|improve this answer































    0














    Note that bro comes with bro-cut to extract data from its log files.



    You could do:



    bro-cut id.orig_h id.resp_h < conn.log | grep -wFf <(
    
  curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips' |
    
  grep '^[^#]'
    
)


    With awk:



    awk '
    
  NR == FNR {
    
    if (/^[^#]/) bad[$0]=""
    
    next
    
  }
    
  ($1 in bad) || ($2 in bad)
    
' <(curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips') 
    
  <(bro-cut id.orig_h id.resp_h < conn.log)


    (more efficient as using hash tables instead of painstaking string matching in a loop).



    Also note that the emerging threat rule-set has rules that track those Zeus tracker lists (and others). So if you use snort/surricata with that rule set in addition to bro-ids, doing it with bro would end up being redundant.






    share|improve this answer
























    • Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

      – user112802
      May 22 '15 at 3:29













    • Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

      – user112802
      May 22 '15 at 3:36











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f199979%2fusing-awk-to-search-bro-log-for-ips-keywords-found-in-online-text-file%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I'm not entirely sure on what you want to parse since I haven't seen the input format but, if you just want to read a list of IPs and print to the corresponding output file, you could try this:



    awk 'NR==FNR{a[$1]=NR; next} {
    
    for(ip in a){ 
    
        if($0~ip){ 
    
            print >> "line_"a[ip]"_ip.txt" 
    
        } 
    
    }
    
}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null | 
    
    grep -Ev "#|^ *$") http.log


    That's a little complex though, so let's break it down:





    • wget -O - https://zeustracker.abuse.ch/blocklist.php?download=badips 2>/dev/null | grep -Ev "#|^ *$" : this will download the list of IPs, remove any lines that contain # or are empty and print to standard output.


    • <(command) : This is called process substitution and is a trick that some shells (bash, zsh and ksh, but maybe others as well) have which enables you to treat the output of a process as an input file to another command.

    • So, the awk snipet sees two "files", the first is the output of the wget command piped trough grep and the second is the http.log file.


    • NR==FNR{a[$1]=NR; next} : NR is the current input line number and FNR is the same but of the current file. The two will be equal only while the first file is being read. This will, therefore, create the array a whose keys are the IPs and whose value is the current line number.


    • for(ip in a) : iterate over the a array, saving each of its keys (the IPs) as ip.


    • if($0~ip){} : if this line ($0) matches this ip.


    • print >> "line_"a[ip]"_ip.txt" : print the line into a file called line_, the number of the input line where this IP was seen and _ip.txt. The >> ensures that the file appended to and not overwritten.






    share|improve this answer




























      0














      I'm not entirely sure on what you want to parse since I haven't seen the input format but, if you just want to read a list of IPs and print to the corresponding output file, you could try this:



      awk 'NR==FNR{a[$1]=NR; next} {
      
    for(ip in a){ 
      
        if($0~ip){ 
      
            print >> "line_"a[ip]"_ip.txt" 
      
        } 
      
    }
      
}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null | 
      
    grep -Ev "#|^ *$") http.log


      That's a little complex though, so let's break it down:





      • wget -O - https://zeustracker.abuse.ch/blocklist.php?download=badips 2>/dev/null | grep -Ev "#|^ *$" : this will download the list of IPs, remove any lines that contain # or are empty and print to standard output.


      • <(command) : This is called process substitution and is a trick that some shells (bash, zsh and ksh, but maybe others as well) have which enables you to treat the output of a process as an input file to another command.

      • So, the awk snipet sees two "files", the first is the output of the wget command piped trough grep and the second is the http.log file.


      • NR==FNR{a[$1]=NR; next} : NR is the current input line number and FNR is the same but of the current file. The two will be equal only while the first file is being read. This will, therefore, create the array a whose keys are the IPs and whose value is the current line number.


      • for(ip in a) : iterate over the a array, saving each of its keys (the IPs) as ip.


      • if($0~ip){} : if this line ($0) matches this ip.


      • print >> "line_"a[ip]"_ip.txt" : print the line into a file called line_, the number of the input line where this IP was seen and _ip.txt. The >> ensures that the file appended to and not overwritten.






      share|improve this answer


























        0












        0








        0







        I'm not entirely sure on what you want to parse since I haven't seen the input format but, if you just want to read a list of IPs and print to the corresponding output file, you could try this:



        awk 'NR==FNR{a[$1]=NR; next} {
        
    for(ip in a){ 
        
        if($0~ip){ 
        
            print >> "line_"a[ip]"_ip.txt" 
        
        } 
        
    }
        
}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null | 
        
    grep -Ev "#|^ *$") http.log


        That's a little complex though, so let's break it down:





        • wget -O - https://zeustracker.abuse.ch/blocklist.php?download=badips 2>/dev/null | grep -Ev "#|^ *$" : this will download the list of IPs, remove any lines that contain # or are empty and print to standard output.


        • <(command) : This is called process substitution and is a trick that some shells (bash, zsh and ksh, but maybe others as well) have which enables you to treat the output of a process as an input file to another command.

        • So, the awk snipet sees two "files", the first is the output of the wget command piped trough grep and the second is the http.log file.


        • NR==FNR{a[$1]=NR; next} : NR is the current input line number and FNR is the same but of the current file. The two will be equal only while the first file is being read. This will, therefore, create the array a whose keys are the IPs and whose value is the current line number.


        • for(ip in a) : iterate over the a array, saving each of its keys (the IPs) as ip.


        • if($0~ip){} : if this line ($0) matches this ip.


        • print >> "line_"a[ip]"_ip.txt" : print the line into a file called line_, the number of the input line where this IP was seen and _ip.txt. The >> ensures that the file appended to and not overwritten.






        share|improve this answer













        I'm not entirely sure on what you want to parse since I haven't seen the input format but, if you just want to read a list of IPs and print to the corresponding output file, you could try this:



        awk 'NR==FNR{a[$1]=NR; next} {
        
    for(ip in a){ 
        
        if($0~ip){ 
        
            print >> "line_"a[ip]"_ip.txt" 
        
        } 
        
    }
        
}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null | 
        
    grep -Ev "#|^ *$") http.log


        That's a little complex though, so let's break it down:





        • wget -O - https://zeustracker.abuse.ch/blocklist.php?download=badips 2>/dev/null | grep -Ev "#|^ *$" : this will download the list of IPs, remove any lines that contain # or are empty and print to standard output.


        • <(command) : This is called process substitution and is a trick that some shells (bash, zsh and ksh, but maybe others as well) have which enables you to treat the output of a process as an input file to another command.

        • So, the awk snipet sees two "files", the first is the output of the wget command piped trough grep and the second is the http.log file.


        • NR==FNR{a[$1]=NR; next} : NR is the current input line number and FNR is the same but of the current file. The two will be equal only while the first file is being read. This will, therefore, create the array a whose keys are the IPs and whose value is the current line number.


        • for(ip in a) : iterate over the a array, saving each of its keys (the IPs) as ip.


        • if($0~ip){} : if this line ($0) matches this ip.


        • print >> "line_"a[ip]"_ip.txt" : print the line into a file called line_, the number of the input line where this IP was seen and _ip.txt. The >> ensures that the file appended to and not overwritten.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered May 4 '15 at 14:26









        terdonterdon

        132k32261441




        132k32261441

























            0














            Note that bro comes with bro-cut to extract data from its log files.



            You could do:



            bro-cut id.orig_h id.resp_h < conn.log | grep -wFf <(
            
  curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips' |
            
  grep '^[^#]'
            
)


            With awk:



            awk '
            
  NR == FNR {
            
    if (/^[^#]/) bad[$0]=""
            
    next
            
  }
            
  ($1 in bad) || ($2 in bad)
            
' <(curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips') 
            
  <(bro-cut id.orig_h id.resp_h < conn.log)


            (more efficient as using hash tables instead of painstaking string matching in a loop).



            Also note that the emerging threat rule-set has rules that track those Zeus tracker lists (and others). So if you use snort/surricata with that rule set in addition to bro-ids, doing it with bro would end up being redundant.






            share|improve this answer
























            • Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

              – user112802
              May 22 '15 at 3:29













            • Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

              – user112802
              May 22 '15 at 3:36
















            0














            Note that bro comes with bro-cut to extract data from its log files.



            You could do:



            bro-cut id.orig_h id.resp_h < conn.log | grep -wFf <(
            
  curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips' |
            
  grep '^[^#]'
            
)


            With awk:



            awk '
            
  NR == FNR {
            
    if (/^[^#]/) bad[$0]=""
            
    next
            
  }
            
  ($1 in bad) || ($2 in bad)
            
' <(curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips') 
            
  <(bro-cut id.orig_h id.resp_h < conn.log)


            (more efficient as using hash tables instead of painstaking string matching in a loop).



            Also note that the emerging threat rule-set has rules that track those Zeus tracker lists (and others). So if you use snort/surricata with that rule set in addition to bro-ids, doing it with bro would end up being redundant.






            share|improve this answer
























            • Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

              – user112802
              May 22 '15 at 3:29













            • Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

              – user112802
              May 22 '15 at 3:36














            0












            0








            0







            Note that bro comes with bro-cut to extract data from its log files.



            You could do:



            bro-cut id.orig_h id.resp_h < conn.log | grep -wFf <(
            
  curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips' |
            
  grep '^[^#]'
            
)


            With awk:



            awk '
            
  NR == FNR {
            
    if (/^[^#]/) bad[$0]=""
            
    next
            
  }
            
  ($1 in bad) || ($2 in bad)
            
' <(curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips') 
            
  <(bro-cut id.orig_h id.resp_h < conn.log)


            (more efficient as using hash tables instead of painstaking string matching in a loop).



            Also note that the emerging threat rule-set has rules that track those Zeus tracker lists (and others). So if you use snort/surricata with that rule set in addition to bro-ids, doing it with bro would end up being redundant.






            share|improve this answer













            Note that bro comes with bro-cut to extract data from its log files.



            You could do:



            bro-cut id.orig_h id.resp_h < conn.log | grep -wFf <(
            
  curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips' |
            
  grep '^[^#]'
            
)


            With awk:



            awk '
            
  NR == FNR {
            
    if (/^[^#]/) bad[$0]=""
            
    next
            
  }
            
  ($1 in bad) || ($2 in bad)
            
' <(curl 'https://zeustracker.abuse.ch/blocklist.php?download=badips') 
            
  <(bro-cut id.orig_h id.resp_h < conn.log)


            (more efficient as using hash tables instead of painstaking string matching in a loop).



            Also note that the emerging threat rule-set has rules that track those Zeus tracker lists (and others). So if you use snort/surricata with that rule set in addition to bro-ids, doing it with bro would end up being redundant.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered May 4 '15 at 14:37









            Stéphane ChazelasStéphane Chazelas

            309k57584945




            309k57584945













            • Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

              – user112802
              May 22 '15 at 3:29













            • Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

              – user112802
              May 22 '15 at 3:36



















            • Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

              – user112802
              May 22 '15 at 3:29













            • Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

              – user112802
              May 22 '15 at 3:36

















            Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

            – user112802
            May 22 '15 at 3:29







            Sorry for the delayed response. I like the idea of grep -wFf <( curl 'zeustracker.abuse.ch/blocklist.php?download=badips' | grep '^[^#]' ) but I'm getting the error -sh: syntax error near unexpected token `(' Thoughts?

            – user112802
            May 22 '15 at 3:29















            Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

            – user112802
            May 22 '15 at 3:36





            Dumb question, how do I run multi-line awk commands? I've only ever used awk for single line stuff.

            – user112802
            May 22 '15 at 3:36


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f199979%2fusing-awk-to-search-bro-log-for-ips-keywords-found-in-online-text-file%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Loup dans la culture

            Image
            Loups sur une enluminure du Bestiaire d'Aberdeen Le loup est l'animal le plus emblématique de l'histoire de l'Eurasie, il était à l'honneur durant l'Antiquité chez la totalité des anciens peuples européens [ 1 ] . Sommaire 1 Le loup dans la mythologie 2 Les loups dans le folklore 2.1 L'évolution des mentalités 2.2 Le loup dans la psychanalyse 3 Le loup dans les œuvres culturelles 3.1 Le loup dans la littérature 3.1.1 Fables 3.1.2 Poésie 3.1.3 Romans 3.1.4 Littérature jeunesse 3.1.4.1 Quelques titres d'albums contemporains 3.1.5 Bande dessinée 3.2 Le loup à l'écran 3.2.1 Le cinéma et la télévision 3.2.2 Documentaires 3.2.3 Dessins animés 3.2.4 Jeux vidéo 3.3 Le loup en peinture et en sculpture 3.4 Le loup dans les œuvres musicales 4 Le loup et les noms propres 5 Bibliographie 6 Notes et références 7 Voir aussi 7.1 Articles connexes
            Read more

            How to solve the problem of ntp “Unable to contact time server” from KDE?

            Image
            1 0 I want to set date and time automatically but this error appears when I try to .. I'm using openSUSE, I tried different servers but it didn't work either, help please! It doesn't seem to be a network problem: $ ping pool.ntp.org 64 bytes from 41.78.128.17: icmp_seq=1 ttl=41 time=260 ms To the question of whether ntpd is installed and running: $ ps -C ntpd PID TTY TIME CMD i.e. there's no ntpd process running. $ rpm -qa | grep ntp yast2-ntp-client-3.1.12-1.7.noarch ntp-4.2.6p5-25.2.1.i586 Further information from the comments: $ sudo ntpdate pool.ntp.org 25 Sep 19:41:51 ntpdate[3162]: no server suitable for synchronization found networking kde opensuse ntp ntpd sh
            Read more

            Connection limited (no internet access)

            Image
            -1 My laptop is running on Windows 10 ، My wifi adapter is tenda V7TW311M ,My router is D-Link , When I connect to the internet I get connection limited with yellow triangle , and no ipv4 address in ipconfig ,Ihave tried manually setting the ipv4 address When dhcp works there is no ipv4 , When I select ipv4 manually dhcp is turned off , I tried an update my wifi to the Latest version But the same problem remained . networking wifi internet net share | improve this question asked 13 mins ago Souchi Souchi 1 1
            Read more