[netsa-tools-discuss] Decrepated switch "--pair-top-threshold=1" how to use for detecting malware activity

[Angela Horneman]

To get the list of source addresses that have contacted at least 100:

rwfilter --type=out \
         --start=2004/6/29:17 \
         --proto=6 --dport=445 \
         --pass=stdout | \
rwuniq --fields=sip --dip-distinct=100


To get the count:

rwfilter --type=out \
         --start=2004/6/29:17 \
         --proto=6 --dport=445 \
         --pass=stdout | \
rwuniq --fields=sip --dip-distinct=100 | wc -l

-----Original Message-----
From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of asad
Sent: Monday, September 21, 2015 5:20 AM
To: netsa-tools-discuss at cert.org
Subject: [netsa-tools-discuss] Decrepated switch "--pair-top-threshold=1" how to use for detecting malware activity

Hello,

I'm using following cmd

rwfilter --type=out \
         --start=2004/6/29:17 \
         --proto=6 --dport=445 \
         --pass=stdout | \
rwstats --pair-top-threshold=1 | \
gawk -F"|" '{print $1}' | sort | \
uniq -c | sort -nr | head

Using this command I want to know number of IP addresses contacted more than 100 unique destinations in a single hour?

But the cmd output says "--pair-top-threshold" command not found. Thanks.

regards
asad