i had a problem at one of my security devices whose host operating system was linux, all i need was to identify number of connections per IP without identifing the software along with how many new connections it is requesting in a certain time for smtp (this can be changed to your required protocol id as specified with tcpdump). After doing some googling and making some changes to the scripts/commands this worked for me.
Run these commands on your consoles to get the desired results.
Number of connections per IP with all types of Socket states
netstat -nta | cut -b 45-80 | grep -o -P "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" | sort | uniq -c | sort -n -r -k 1,7
Number of connections per IP that are currently in ESTABLISHED state
netstat -nta | grep ESTABLISHED | cut -b 45-80 | grep -o -P "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" | sort | uniq -c | sort -n -r -k 1,7
Number of SYN Requests received
time /usr/sbin/tcpdump -ns 200 -c 500 '(dst port smtp) and tcp[13] & 2!=0' | grep -o -P '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,5}\s\>' | cut -d '.' -f 1-4 | sort | uniq -c | sort -n -r -k 1,7 | head -25
No comments:
Post a Comment