[VoiceOps] Parsing VoIP attacker Twitter feed
Brian R
briansupport at hotmail.com
Wed May 15 16:37:08 EDT 2013
Thank you for this. One of our Linux guys helped me out getting it working. He also made some changes so I figured I'd update here. I noticed i needed to install mawk and gawk to get it to work.
wget -qO - http://www.twitter.com/efensive |\
awk '/VoIP/ {print gensub(".*>", "", "G", $3)}'
Brian
> Date: Wed, 15 May 2013 09:41:31 -0500
> From: joquendo at e-fensive.net
> To: voiceops at voiceops.org
> Subject: [VoiceOps] Parsing VoIP attacker Twitter feed
>
> Sorry had to start a new thread (Thunderbird filters via
> MS + FreeBSD aren't playing nicely). For those wanting to
> parse out, this is what I would do if I had to/wanted to
> capture from the feed: (one liner)
>
> wget -qO - http://www.twitter.com/efensive |\
> awk '/VoIP/{print $3}'|sed 's:>: :g'|awk '{print $2}'
>
> If you wanted to add to say iptables:
>
> wget -qO - http://www.twitter.com/efensive |\
> awk '/VoIP/{print $3}'|sed 's:>: :g'|sort -u |\
> awk '{print "iptables -A INPUT -s "$2" -j DROP"}'
>
> Which is a simple iptable rule:
>
> iptables -A INPUT -s x.x.x.x -j DROP
>
> I run something similar out of my crontabs @ 15 on the hou
> to parse out unique addresses. I would never bother to
> use REJECT since it wastes time/resources telling an
> attacker: "I'm REJECTING this packet" YMMV.
>
> The reasoning for grep'ing ('/VoIP/' in awk) is that every
> once in a while I may babble on, or post say APT (the big
> bad Chinese/German/Russian boogeyman) threats in my stream
> as well as malware related hosts/domains as well. This
> ensures that you only get information pertaining to VoIP
> based attackers.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20130515/29830085/attachment.html>
More information about the VoiceOps
mailing list