[Bro] number of connections to the same port in 100 connections
Azoff, Justin S
jazoff at illinois.edu
Thu Jun 30 11:03:21 PDT 2016
> On Jun 30, 2016, at 1:30 PM, Salman, Tara <tara.salman at wustl.edu> wrote:
>
> Hi everyone,
> I am trying to find the number of connections having the same source ip and destination port in the last 100 connection using bro commands
> I managed to get the number in all connections using:
> bro-cut id.orig_h id.orgi_p < conn.log | sort| uniq -c| sort -rn
>
> which is working fine but i need to modify this to include only the last 100 connections in the log file. is there a way to do that ?
>
> thanks in advance
Give this a try:
(head -n 8 conn.log ;tail -n 100 conn.log ) | bro-cut id.orig_h id.orig_p | sort| uniq -c| sort -rn
you need the first 8 lines for the header so bro-cut works.
--
- Justin Azoff
More information about the Bro
mailing list