[netsa-tools-discuss] Decrepated switch "--pair-top-threshold=1" how to use for detecting malware activity
asad
a.alii85 at gmail.com
Thu Sep 24 05:58:58 EDT 2015
Thanks a lot:) You guys are the best.
On Mon, Sep 21, 2015 at 5:50 PM, Angela Horneman <ahorneman at cert.org> wrote:
> To get the list of source addresses that have contacted at least 100:
>
> rwfilter --type=out \
> --start=2004/6/29:17 \
> --proto=6 --dport=445 \
> --pass=stdout | \
> rwuniq --fields=sip --dip-distinct=100
>
>
> To get the count:
>
> rwfilter --type=out \
> --start=2004/6/29:17 \
> --proto=6 --dport=445 \
> --pass=stdout | \
> rwuniq --fields=sip --dip-distinct=100 | wc -l
>
> -----Original Message-----
> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of asad
> Sent: Monday, September 21, 2015 5:20 AM
> To: netsa-tools-discuss at cert.org
> Subject: [netsa-tools-discuss] Decrepated switch "--pair-top-threshold=1"
> how to use for detecting malware activity
>
> Hello,
>
> I'm using following cmd
>
> rwfilter --type=out \
> --start=2004/6/29:17 \
> --proto=6 --dport=445 \
> --pass=stdout | \
> rwstats --pair-top-threshold=1 | \
> gawk -F"|" '{print $1}' | sort | \
> uniq -c | sort -nr | head
>
> Using this command I want to know number of IP addresses contacted more
> than 100 unique destinations in a single hour?
>
> But the cmd output says "--pair-top-threshold" command not found. Thanks.
>
> regards
> asad
>
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list