[Bro] Simple way to get a combined unique IP list from an arbitrary date range
charles.a.fair at gmail.com
Thu Jan 19 09:56:14 PST 2017
Help with this would be greatly appreciated. I am trying to figure out a simple way to get a combined unique ip list from an arbitrary date range. I want the unique IP addresses as a single list from the conn.log fields ip.orig_h and ip.resp_h. Answering questions like give me the unique IPs from the past 7/14/30/60/90 days would be quite tedious this way.
I can do it manually as the below example using a temp file for the working data.
# Create a single list of all unique IP addresses with a
# sorted descending count from the
# conn.log consisting of ip.orig_h and ip.resp_h
# for a given five day period
zcat 2016-01-01/conn.* 2016-01-02/conn.* 2016-01-03/conn.* 2016-01-04/conn.* 2016-01-05/conn.* | bro-cut ip.orig_h > /tmp/tempalluniqip.txt
zcat 2016-01-01/conn.* 2016-01-02/conn.* 2016-01-03/conn.* 2016-01-04/conn.* 2016-01-05/conn.* | bro-cut ip.resp_h >> /tmp/tempalluniqip.txt
cat /tmp/tempalluniqip.txt | sort -n | uniq -c | sort -n > /tmp/alluniqip.txt
More information about the Bro