-
Notifications
You must be signed in to change notification settings - Fork 13
/
log.sh
executable file
·123 lines (111 loc) · 3.67 KB
/
log.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Function to check if reverse DNS contains unwanted domains
filter_reverse_dns() {
if [[ "$1" == *"linodeusercontent.com"* || "$1" == *"amazonaws.com"* ]]; then
return 0 # Return 0 if the reverse DNS contains unwanted domains
else
return 1 # Return 1 otherwise
fi
}
# Function to display help
display_help() {
echo "Usage: log.sh [OPTIONS]"
echo "Options:"
echo " -l, --log-type TYPE Set the log type (api, ransomware, data)"
echo " -c, --clean Clean option to filter unwanted domains"
echo " -r, --rss Only rss feed (only with -l ransomware)"
echo " -h, --help Display this help message"
exit 0
}
# Function to fetch netname from whois
get_netname() {
netname=$(whois "$1" | grep -i "netname:" | awk -F ':' '{print $2}' | tr -d '[:space:]')
echo "$netname"
}
# Function to fetch country from IP
get_country() {
#country=$(curl -s "https://ipinfo.io/$1/country")
country=$(whois "$1" | grep -m 1 -i "country:" | awk -F ':' '{print $2}' | tr -d '[:space:]')
echo "$country"
}
# Set default log type and RSS option
log_type="ransomware"
rss_option=false
clean_option=false
# Validate and handle command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-l|--log-type)
shift
log_type=$1
if [[ ! $log_type =~ ^(api|ransomware|data)$ ]]; then
echo "Invalid argument for -l. Use 'api', 'ransomware', or 'data'."
exit 1
fi
;;
-c|--clean)
clean_option=true
;;
-r|--rss)
if [[ $log_type != "ransomware" ]]; then
echo "--rss option only works with -l ransomware."
exit 1
fi
rss_option=true
;;
-h|--help)
display_help
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
shift
done
# Function to process IPs based on options
process_ips() {
while read -r count ip; do
reverse_dns=$(host "$ip" | awk '/pointer/ {print $5}' | head -n 1)
if $clean_option; then
if ! filter_reverse_dns "$reverse_dns"; then
netname=$(get_netname "$ip")
country=$(get_country "$ip")
echo "IP: $ip - Occurrences: $count - Reverse DNS: ${reverse_dns:-Not available} - Netname: ${netname:-Not available} - Country: ${country:-Not available}"
fi
else
netname=$(get_netname "$ip")
country=$(get_country "$ip")
echo "IP: $ip - Occurrences: $count - Reverse DNS: ${reverse_dns:-Not available} - Netname: ${netname:-Not available} - Country: ${country:-Not available}"
fi
done <<< "$sorted_ips"
}
# Determine log file based on log type
case $log_type in
api)
log_file="/var/log/nginx/api.access.log"
;;
ransomware)
log_file="/var/log/nginx/ransomware.access.log"
;;
data)
log_file="/var/log/nginx/data.access.log"
;;
*)
echo "Invalid log type. Use 'api', 'ransomware', or 'data'."
exit 1
;;
esac
local_ipv6=$(ip -6 addr show | grep -oP '(?<=inet6 )[a-f0-9:]+(?=/56 scope global)' | grep -v '^fe80')
if $rss_option; then
ips_with_count=$(grep rss.xml "$log_file" | awk '{print $1}' | sort | uniq -c)
else
ips_with_count=$(awk '{print $1}' "$log_file" | sort | uniq -c)
fi
# Sorting IPs by occurrence
if [ -z "$local_ipv6" ]; then
sorted_ips=$(echo "$ips_with_count" | sort -nr)
else
sorted_ips=$(echo "$ips_with_count" | sort -nr | grep -v "$local_ipv6")
fi
# Process IPs based on options
process_ips