[VoiceOps] Parsing VoIP attacker Twitter feed

J. Oquendo joquendo at e-fensive.net
Wed May 15 10:41:31 EDT 2013

Sorry had to start a new thread (Thunderbird filters via
MS + FreeBSD aren't playing nicely). For those wanting to
parse out, this is what I would do if I had to/wanted to
capture from the feed: (one liner)

wget -qO - http://www.twitter.com/efensive |\
awk '/VoIP/{print $3}'|sed 's:>: :g'|awk '{print $2}'

If you wanted to add to say iptables:

wget -qO - http://www.twitter.com/efensive |\
awk '/VoIP/{print $3}'|sed 's:>: :g'|sort -u |\
awk '{print "iptables -A INPUT -s "$2" -j DROP"}'

Which is a simple iptable rule:

iptables -A INPUT -s x.x.x.x -j DROP

I run something similar out of my crontabs @ 15 on the hou
to parse out unique addresses. I would never bother to
use REJECT since it wastes time/resources telling an
attacker: "I'm REJECTING this packet" YMMV.

The reasoning for grep'ing ('/VoIP/' in awk) is that every
once in a while I may babble on, or post say APT (the big
bad Chinese/German/Russian boogeyman) threats in my stream
as well as malware related hosts/domains as well. This
ensures that you only get information pertaining to VoIP
based attackers.

J. Oquendo

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF

More information about the VoiceOps mailing list