Question

Ubuntu 16.04
GNU bash，版本4.4.0（1）-发布

我想获取dmesg中显示的所有syn Flood IP，将它们放置在全局网络禁止文件中，然后将电子邮件发送到whois信息中列出的滥用电子邮件。我当时在考虑使用awk来填充print的第八列，但有时源IP不在第八列...

这里有一些dmesg，直到SRC = XXX.XXX.XXX.XXX

[1800391.224826] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=223.81.204.168
[1800404.868879] ** DSHIELD ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=31.192.108.125
[1800425.582939] ** DSHIELD ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=77.72.85.8
[1800441.745708] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=193.29.13.157
[1800442.599621] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=211.216.76.139
[1800442.763812] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=211.216.76.139
[1800451.809415] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=108.178.16.154
[1800463.639690] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=49.79.191.158

这是我到目前为止的脚本...

#!/bin/bash
#

#- create temp folder
tmp_dir="$(mktemp -d -t 'text.XXXXX' || mktemp -d 2>/dev/null)"
tmp_input1="${tmp_dir}/temp_input1.txt"
tmp_input2="${tmp_dir}/temp_input2.txt"
tmp_input3="${tmp_dir}/temp_input3.txt"
wDir="/scripts/tools/dmesg"
whoisDir="${wDir}/.whois"
globalbanDir="${wDir}/.globalbans"
now=$(date +%F)

#-- change dirs to work area
mkdir -p "${globalbanDir}"/"${now}"
cd "$wDir"

#-- dmesg into a log file
dmesg > "$tmp_input1"

#-- sort + unique + count into logfile
dmesg > "$tmp_input1" && awk '{ print $8 }' "$tmp_input1" | sed 's/^....//' |awk '{print $1}' |sort |uniq -c |sort -n |tail > "$tmp_input2"

#-- awk print 2nd column into log file
awk '{ print $2 }' "$tmp_input2" > "$tmp_input3"
cat "$tmp_input3" > "${globalbanDir}"/"${now}"-banned-ips.txt
cat "$tmp_input3"

现在，当我运行此脚本时，我也得到了我不想要的mac地址。

root@pl /scripts/tools/dmesg # bash .dmesg.sh
     11 77.72.82.23
     13 188.18.152.184
     15 107.170.211.70
     15 118.4.255.64
     15 125.64.94.201
     17 206.189.129.11
     17 94.50.122.190
     21 202.59.181.105
     28 85.93.20.244
    712 a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00

代替使用awk '{ print $8 }'来获取第八列，也许有人可以向我展示如何使用sed来获取后面的所有IP

SRC =

Answer 1

目前尚不清楚您实际上在寻求什么帮助，但这是您在寻找什么？

$ awk -F'=' '{print $NF}' file
223.81.204.168
31.192.108.125
77.72.85.8
193.29.13.157
211.216.76.139
211.216.76.139
108.178.16.154
49.79.191.158

$ sed 's/.*=//' file
223.81.204.168
31.192.108.125
77.72.85.8
193.29.13.157
211.216.76.139
211.216.76.139
108.178.16.154
49.79.191.158

以上是针对此输入文件运行的：

$ cat file
[1800391.224826] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=223.81.204.168
[1800404.868879] ** DSHIELD ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=31.192.108.125
[1800425.582939] ** DSHIELD ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=77.72.85.8
[1800441.745708] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=193.29.13.157
[1800442.599621] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=211.216.76.139
[1800442.763812] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=211.216.76.139
[1800451.809415] ** IN_TCP DROP ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=108.178.16.154
[1800463.639690] ** TELNET ** IN=eth0 OUT= MAC=a4:bf:01:07:c9:66:00:ff:ff:ff:ff:fa:08:00 SRC=49.79.191.158

如何使用sed从dmseg提取源IP？

1 个答案: