Atermのログを解析する

昨日あたりからしょっちゅうネットが見れなくなって、NECのルータのPPPoE接続をOFF/ONすることで一時的に回復させていた。最初はルータが寿命か?と思ったけど、どうやらそうでもなさそう。

外部からのハッキングについては今まであまり調べたことがなかったんだけど、この機会に調べてみようと思い、TclでAtermのログを解析するスクリプトを書いてみた。

書いた後で気づくのもなんだけど、誰がアクセスしてきてるのか分かったところで、こっちから逆に攻撃するわけにもいかず、大して役に立たない。

強力なルータに変えたら攻撃に耐えられるようになるのだろうか?その辺よく分からない。とりあえず早まってLa Fonera 2.0nを注文してしまった。前から買うつもりだったので、「しまった」というのはわざとらしいですが。

内容的には以下のようなもの。

  1. ログを読み込んで"NAT RX Not Found : TCP"という怪しいログを探す。
  2. その行から送り元のIPアドレスを抽出する。IPアドレスのヒストグラムを作成する。
  3. IPアドレスをwhoisに投げて、ドメインの情報を取得する。
  4. IPアドレスごとに、アクセスランキング、whoisの情報を列挙する。

以下、スクリプト。

#!/usr/bin/tclsh
 
package require http
 
# Example log
#2010/05/04 02:37:52 NAT RX Not Found : TCP 58.214.9.254 : 29538 > XXX.XXX.XXX.XXX : XXXXX (IP-PORT=7)
 
append ptn {^(d{4}/d{2}/d{2} d{2}:d{2}:d{2})}
append ptn { (.+)}
append ptn { (TCP|UDP)}
append ptn { (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+)}
append ptn { >}
append ptn { (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+)}
append ptn { (.+)$}
 
puts "Regex pattern {$ptn}n"
 
array set ipaddr {}
 
if {$argc == 1} {
	set logFile [lindex $argv 0]
	puts "Extract ip addresses from $logFilen"
	if {[catch {open $logFile} ch]} {
		error $ch
	}
} else {
	error "usage: command [logfile]"
}
 
while {![eof $ch]} {
	gets $ch line
	if {$line eq ""} {continue}
	if {![regexp $ptn $line l tim msg ptc sad spt dad dpt ipp]} {
		puts "Not match : $line"
	} else {
		if {[regexp {192.+} $sad]} {continue}
		set key $sad
		if {[info exists ipaddr($key)]} {
			incr ipaddr($key)
		} else {
			set ipaddr($key) 1
		}
	}
}
 
puts ""
puts "Source ip addresses extracted from lines including "NAT RX Not Found""
puts "IP addresst: Match count"
 
set ranklist [list]
foreach {ip cnt} [array get ipaddr] {
	lappend ranklist [list $ip $cnt]
}
#foreach ipcnt [lsort -index 1 -integer -decreasing $ranklist] {
#	foreach {ip cnt} $ipcnt break
#	puts "$ipt: [format %4d $cnt]"
#}
 
puts ""
 
array set countries {}
 
set rank 1
foreach ipcnt [lsort -index 1 -integer -decreasing $ranklist] {
	foreach {ip cnt} $ipcnt break
	set whoisurl "http://whois.ansi.co.jp/?key=$ip"
	set token [http::geturl $whoisurl]
	set data [http::data $token]
 
	puts "---------------------------"
	puts "ip : $ip"
	puts "access count : $ipaddr($ip), rank : $rank"
 
	foreach var {orgname netname descr country} {
		unset -nocomplain $var
		regexp -nocase -linestop "$var:\s*(.+)" $data d $var
 
		if {[info exists $var]} {
			puts "$vart: [set $var]"
			if {[string tolower $var] eq "country"} {
				if {[info exists countries($country)]} {
					incr countries($country)
				} else {
					set countries($country) 1
				}
			}
		}
	}
	http::cleanup $token
	incr rank
}

これにログを読み込ませる。

tclsh ip_extractor.tcl system.log > analysis.log

読み込ませたファイル。

2010/05/04 05:23:34 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:23:43 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:23:44 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:23:46 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:23:52 NAT RX Not Found : UDP 124.18.199.180 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:23:52 NAT RX Not Found : TCP 61.115.131.79 : 58944 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:23:54 NAT RX Not Found : UDP 76.88.224.3 : 55178 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:23:59 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:24:01 NAT RX Not Found : UDP 69.14.100.155 : 33784 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:24:02 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:24:02 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:24:05 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:24:06 NAT RX Not Found : UDP 118.156.206.104 : 24866 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:24:08 NAT RX Not Found : TCP 58.241.15.96 : 46034 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:24:11 NAT RX Not Found : TCP 61.115.131.79 : 59051 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:24:15 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 31735 > 202.238.95.159 : 80 (IP-PORT=7)
2010/05/04 05:24:47 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:02 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:05 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:11 NAT RX Not Found : TCP 115.177.35.151 : 52035 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:30 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:25:33 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:25:39 NAT RX Not Found : TCP 58.241.15.96 : 46411 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:25:50 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:52 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:58 NAT RX Not Found : TCP 220.14.142.113 : 4536 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:25:59 NAT RX Not Found : UDP 220.14.142.113 : 27521 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:27:00 NAT RX Not Found : UDP 98.212.65.88 : 9803 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:27:19 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:27:22 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:27:28 NAT RX Not Found : TCP 58.241.15.96 : 46863 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:28:11 NAT RX Not Found : UDP 71.71.6.19 : 6583 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:29:16 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:29:19 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:29:25 NAT RX Not Found : TCP 58.241.15.96 : 47359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:31:18 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:31:21 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:31:27 NAT RX Not Found : TCP 58.241.15.96 : 47864 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:31:47 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:31:57 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:31:58 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:32:03 NAT RX Not Found : UDP 200.204.157.112 : 27440 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:32:07 NAT RX Not Found : UDP 68.45.32.61 : 20285 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:32:11 NAT RX Not Found : TCP 125.230.96.67 : 4128 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:32:25 NAT RX Not Found : UDP 77.160.21.36 : 39670 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:32:30 NAT RX Not Found : UDP 93.65.197.42 : 16939 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:32:52 NAT RX Not Found : UDP 93.39.113.141 : 55035 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:32:57 NAT RX Not Found : UDP 41.234.182.59 : 64906 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:32:57 NAT RX Not Found : UDP 41.201.70.18 : 35774 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:04 NAT RX Not Found : UDP 71.61.136.157 : 55844 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:06 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:33:07 IP_Filter REJECT UDP 192.168.121.2:138 > 192.168.121.255:138 (IP-PORT=0)
2010/05/04 05:33:08 NAT RX Not Found : TCP 220.24.250.240 : 52600 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:33:09 NAT RX Not Found : UDP 95.132.201.163 : 1398 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:09 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:33:14 NAT RX Not Found : TCP 220.24.250.240 : 52600 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:33:15 NAT RX Not Found : TCP 58.241.15.96 : 48308 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:33:16 NAT RX Not Found : UDP 85.229.65.60 : 53895 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:22 NAT RX Not Found : UDP 81.227.116.42 : 17116 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:28 NAT RX Not Found : UDP 60.241.227.184 : 6800 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:34 NAT RX Not Found : UDP 76.8.182.14 : 50162 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:33:42 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:42 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:43 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:43 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:45 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:49 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:33:56 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 66.249.89.101 : 80 > 123.198.192.200 : 32233 (IP-PORT=7)
2010/05/04 05:34:12 NAT RX Not Found : UDP 202.28.25.7 : 25054 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:34:13 NAT RX Not Found : UDP 119.246.143.103 : 24684 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:34:16 NAT RX Not Found : UDP 24.131.145.99 : 15957 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:34:32 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:34:39 NAT RX Not Found : UDP 114.24.170.29 : 27211 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:34:51 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:34:51 NAT RX Not Found : UDP 60.198.85.221 : 19402 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:34:53 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:34:58 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:34:59 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:35:07 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:35:08 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:35:16 NAT RX Not Found : UDP 120.42.90.87 : 1041 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:35:19 NAT RX Not Found : UDP 88.247.212.138 : 36798 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:35:27 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:35:29 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:35:44 NAT RX Not Found : UDP 88.195.141.136 : 11095 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:35:48 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:35:51 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:35:56 NAT RX Not Found : TCP 58.241.15.96 : 48975 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:35:57 NAT TX-INFO  TCP Synchronize Flag OFF : TCP 192.168.121.2 : 32233 > 66.249.89.101 : 80 (IP-PORT=7)
2010/05/04 05:35:58 NAT RX Not Found : UDP 24.185.21.194 : 48239 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:06 NAT RX Not Found : UDP 71.194.74.86 : 15980 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:14 NAT RX Not Found : UDP 82.105.15.163 : 7856 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:23 NAT RX Not Found : UDP 71.77.14.235 : 17360 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:26 NAT RX Not Found : UDP 87.127.170.17 : 33818 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:36 NAT RX Not Found : UDP 83.51.27.231 : 25068 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:36:39 NAT RX Not Found : UDP 211.18.117.156 : 18187 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:03 NAT RX Not Found : UDP 84.125.144.29 : 22185 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:07 NAT RX Not Found : UDP 62.150.95.185 : 61801 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:10 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:10 NAT RX Not Found : UDP 90.38.211.48 : 62435 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:18 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:21 NAT RX Not Found : UDP 92.118.95.86 : 17469 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:21 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:37:22 NAT RX Not Found : UDP 91.109.71.128 : 8972 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:24 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:37:30 NAT RX Not Found : TCP 58.241.15.96 : 49359 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:37:32 NAT RX Not Found : UDP 123.225.16.81 : 16789 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:34 IP_Filter REJECT UDP 192.168.121.2:138 > 192.168.121.255:138 (IP-PORT=0)
2010/05/04 05:37:50 NAT RX Not Found : UDP 115.163.184.50 : 4338 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:37:51 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:37:55 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:01 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:01 NAT RX Not Found : UDP 98.197.178.199 : 11179 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:01 NAT RX Not Found : UDP 79.234.26.90 : 22847 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:04 NAT RX Not Found : UDP 95.90.152.213 : 16626 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:07 NAT RX Not Found : UDP 84.127.194.139 : 24186 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:17 NAT RX Not Found : TCP 111.252.200.10 : 4690 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:38:20 NAT RX Not Found : TCP 111.252.200.10 : 4690 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:38:21 NAT RX Not Found : UDP 41.97.163.60 : 53318 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:24 NAT RX Not Found : UDP 114.47.1.36 : 7229 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:33 NAT RX Not Found : UDP 206.74.134.37 : 38899 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:36 NAT RX Not Found : UDP 84.131.61.33 : 57815 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:38 NAT RX Not Found : UDP 78.150.142.253 : 51725 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:38:38 NAT RX Not Found : UDP 75.189.221.232 : 55010 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:46 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:38:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:47 NAT RX Not Found : UDP 203.112.41.190 : 18679 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:38:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:38:53 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7)
2010/05/04 05:38:54 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7)
2010/05/04 05:38:55 NAT RX-INFO  TCP Synchronize Flag OFF : TCP 202.238.95.159 : 80 > 123.198.192.200 : 32247 (IP-PORT=7)
2010/05/04 05:39:02 NAT RX Not Found : UDP 189.104.107.206 : 9405 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:03 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:05 NAT RX Not Found : UDP 84.245.231.224 : 52749 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:05 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:06 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:12 NAT RX Not Found : TCP 123.218.90.84 : 2997 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:13 NAT RX Not Found : UDP 119.172.116.20 : 42900 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:19 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:27 NAT RX Not Found : UDP 82.160.207.5 : 12366 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:28 NAT RX Not Found : UDP 90.191.0.62 : 53511 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:48 NAT RX Not Found : UDP 70.92.142.238 : 20567 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:49 NAT RX Not Found : UDP 203.112.41.190 : 18679 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:50 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:39:51 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:39:51 NAT RX Not Found : UDP 119.172.116.20 : 42900 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:39:51 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:39:52 NAT RX Not Found : UDP 124.18.199.180 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:39:54 NAT RX Not Found : UDP 190.172.81.242 : 43547 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:56 NAT RX Not Found : UDP 85.50.242.196 : 43435 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:57 NAT RX Not Found : UDP 41.218.250.83 : 10009 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:57 NAT RX Not Found : UDP 92.4.43.46 : 63017 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:39:59 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:01 NAT RX Not Found : TCP 203.112.41.190 : 54727 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:02 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:08 NAT RX Not Found : TCP 123.218.90.84 : 3047 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:10 NAT RX Not Found : UDP 123.204.194.226 : 9717 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:40:18 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:19 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:40:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:40:34 NAT RX Not Found : UDP 112.202.64.49 : 60185 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:40:37 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:40:38 NAT RX Not Found : TCP 124.10.130.99 : 3412 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:40:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:40:47 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:40:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:41:10 NAT RX Not Found : UDP 87.255.14.75 : 62348 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:41:12 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:41:15 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:41:15 NAT RX Not Found : UDP 89.215.86.234 : 27319 > 123.198.192.200 : 28566 (IP-PORT=7)
2010/05/04 05:41:21 NAT RX Not Found : TCP 220.24.250.240 : 54754 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:41:22 NAT RX Not Found : UDP 220.24.250.240 : 6346 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:41:39 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:41:55 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:41:55 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:41:56 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:41:57 IP_Filter REJECT UDP 192.168.121.2:137 > 192.168.121.255:137 (IP-PORT=0)
2010/05/04 05:41:58 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:42:04 NAT RX Not Found : TCP 58.241.15.96 : 50491 > 123.198.192.200 : 6881 (IP-PORT=7)
2010/05/04 05:42:18 NAT RX Not Found : UDP 125.206.56.1 : 14912 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:42:31 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:42:41 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:42:43 NAT RX Not Found : UDP 118.12.130.29 : 42077 > 123.198.192.200 : 44619 (IP-PORT=7)
2010/05/04 05:42:51 NAT RX Not Found : UDP 189.106.17.175 : 50042 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:43:08 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:43:18 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:43:27 NAT RX Not Found : UDP 204.210.191.101 : 20702 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:43:28 NAT RX Not Found : UDP 121.55.221.252 : 42521 > 123.198.192.200 : 47590 (IP-PORT=7)
2010/05/04 05:43:32 NAT RX Not Found : UDP 61.115.131.79 : 45888 > 123.198.192.200 : 44619 (IP-PORT=7)

結果は以下の通り。トップは北京からのアクセスしてきた人みたいです。http://ip.corporationwiki.com/58.241.15.0/

ちなみにwhois情報が表示されていないやつは、日本のドメインだと思います。フォーマットが違うので対応してないです(単に手抜き)。日本からのアクセスはあんまり問題ないかと思って。

Regex pattern {^(d{4}/d{2}/d{2} d{2}:d{2}:d{2}) (.+) (TCP|UDP) (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+) > (d{1,3}.d{1,3}.d{1,3}.d{1,3}).?:.?(d+) (.+)$}

Extract ip addresses from system.log

Source ip addresses extracted from lines including "NAT RX Not Found"
IP address	: Match count

---------------------------
ip : 58.241.15.96
access count : 27, rank : 1
netname	: YONGFENG-ADSL-USER
descr	: YONGFENG ADSL USER,JIANGSU PROVINCE
country	: CN
---------------------------
ip : 189.106.17.175
access count : 12, rank : 2
orgname	: Latin American and Caribbean IP address Regional Registry
netname	: NET189
country	: UY
---------------------------
ip : 204.210.191.101
access count : 10, rank : 3
orgname	: Road Runner HoldCo LLC
netname	: ROAD-RUNNER-4
country	: US
---------------------------
ip : 61.115.131.79
access count : 9, rank : 4
---------------------------
ip : 66.249.89.101
access count : 7, rank : 5
orgname	: Google Inc.
netname	: GOOGLE
country	: US
---------------------------
ip : 123.218.90.84
access count : 6, rank : 6
netname	: OCN
descr	: NTT Communications Corporation
country	: JP
---------------------------
ip : 220.24.250.240
access count : 6, rank : 7
netname	: BBTECH
descr	: Japan nation-wide Network of SOFTBANK BB CORP
country	: JP
---------------------------
ip : 118.12.130.29
access count : 5, rank : 8
netname	: OCN
descr	: NTT Communications Corporation
country	: JP
---------------------------
ip : 123.225.16.81
access count : 4, rank : 9
netname	: OCN
descr	: NTT Communications Corporation
country	: JP
---------------------------
ip : 88.247.212.138
access count : 4, rank : 10
netname	: TurkTelekom
descr	: TT ADSL-alcatel static_aci
country	: tr
---------------------------
ip : 220.14.142.113
access count : 4, rank : 11
netname	: BBTECH
descr	: Japan nation-wide Network of SOFTBANK BB CORP
country	: JP
---------------------------
ip : 206.74.134.37
access count : 4, rank : 12
---------------------------
ip : 125.206.56.1
access count : 3, rank : 13
netname	: OCN
descr	: NTT Communications Corporation
country	: JP
---------------------------
ip : 76.88.224.3
access count : 3, rank : 14
orgname	: Road Runner HoldCo LLC
netname	: RRWE
country	: US
---------------------------
ip : 202.238.95.159
access count : 3, rank : 15
---------------------------
ip : 203.112.41.190
access count : 3, rank : 16
netname	: STNet
descr	: STNet, Incorporated
country	: JP
---------------------------
ip : 68.45.32.61
access count : 3, rank : 17
---------------------------
ip : 115.177.35.151
access count : 3, rank : 18
netname	: InfoWeb
descr	: FUJITSU LIMITED
country	: JP
---------------------------
ip : 121.55.221.252
access count : 3, rank : 19
netname	: KUENTOS-GU
descr	: Kuentos Communications, Inc.
country	: GU
---------------------------
ip : 111.252.200.10
access count : 2, rank : 20
netname	: HINET-NET
descr	: CHTD, Chunghwa Telecom Co.,Ltd.
country	: TW
---------------------------
ip : 119.172.116.20
access count : 2, rank : 21
netname	: ATNETHOME-JP
descr	: Technology Networks Inc.
country	: JP
---------------------------
ip : 124.18.199.180
access count : 2, rank : 22
netname	: commufa
descr	: Chubu Telecommunications Co.,Inc.
country	: JP
---------------------------
ip : 70.92.142.238
access count : 1, rank : 23
orgname	: Road Runner HoldCo LLC
netname	: RRWE
country	: US
---------------------------
ip : 112.202.64.49
access count : 1, rank : 24
netname	: IPG
descr	: IPG
country	: PH
---------------------------
ip : 200.204.157.112
access count : 1, rank : 25
orgname	: Latin American and Caribbean IP address Regional Registry
netname	: LACNIC-200
country	: UY
---------------------------
ip : 120.42.90.87
access count : 1, rank : 26
netname	: CHINANET-FJ
descr	: CHINANET FUJIAN PROVINCE NETWORK
country	: CN
---------------------------
ip : 41.218.250.83
access count : 1, rank : 27
orgname	: African Network Information Center
netname	: NET41
country	: MU
---------------------------
ip : 75.189.221.232
access count : 1, rank : 28
orgname	: Road Runner HoldCo LLC
netname	: RRMA
country	: US
---------------------------
ip : 93.65.197.42
access count : 1, rank : 29
netname	: VODAFONE-IT
descr	: IP addresses reserved to DSL subscribers
country	: IT
---------------------------
ip : 82.160.207.5
access count : 1, rank : 30
netname	: PL-ABP-COMPUTER
descr	: ABP Computer Piotr Roslaw Adrowski
country	: PL
---------------------------
ip : 92.4.43.46
access count : 1, rank : 31
netname	: CPWBBSERV-NET
descr	: Carphone Warehouse Broadband Services
country	: GB
---------------------------
ip : 83.51.27.231
access count : 1, rank : 32
netname	: RIMA
descr	: Telefonica de Espana SAU
country	: ES
---------------------------
ip : 84.125.144.29
access count : 1, rank : 33
netname	: ES-ONO-20040415
descr	: PROVIDER Local Registry
country	: ES
---------------------------
ip : 85.50.242.196
access count : 1, rank : 34
netname	: UNI2-NET
descr	: Addresses IP for Home clients
country	: ES
---------------------------
ip : 90.38.211.48
access count : 1, rank : 35
netname	: IP2000-ADSL-BAS
descr	: BSPOI257 Poitiers Bloc 2
country	: FR
---------------------------
ip : 95.90.152.213
access count : 1, rank : 36
netname	: KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-19
descr	: Kabel Deutschland Breitband Customer 19
country	: DE
---------------------------
ip : 69.14.100.155
access count : 1, rank : 37
---------------------------
ip : 98.212.65.88
access count : 1, rank : 38
---------------------------
ip : 81.227.116.42
access count : 1, rank : 39
netname	: TELIANET
descr	: Telia Network Services
country	: SE
---------------------------
ip : 119.246.143.103
access count : 1, rank : 40
netname	: CTIHK
descr	: City Telecom (H.K.) Ltd.
country	: HK
---------------------------
ip : 87.255.14.75
access count : 1, rank : 41
netname	: BIGTELECOM
descr	: BIG TELECOM CLOSED JSC
country	: RU
---------------------------
ip : 90.191.0.62
access count : 1, rank : 42
netname	: EE-ESTPAK
descr	: Dynamic links
country	: EE
---------------------------
ip : 84.245.231.224
access count : 1, rank : 43
netname	: LIVASTELECOMMUNICATION
descr	: Cable Internet Home users based on DOCSIS standard.
country	: LV
---------------------------
ip : 124.10.130.99
access count : 1, rank : 44
netname	: TFN-NET
descr	: Taiwan Fixed Network CO.,LTD.
country	: TW
---------------------------
ip : 78.150.142.253
access count : 1, rank : 45
netname	: OPAL-DSL
descr	: Opal Telecom DSL
country	: GB
---------------------------
ip : 71.61.136.157
access count : 1, rank : 46
orgname	: Comcast Cable Communications Holdings, Inc
netname	: CCCH-3-34
country	: US
---------------------------
ip : 71.194.74.86
access count : 1, rank : 47
---------------------------
ip : 41.201.70.18
access count : 1, rank : 48
orgname	: African Network Information Center
netname	: NET41
country	: MU
---------------------------
ip : 84.127.194.139
access count : 1, rank : 49
netname	: ES-ONO-20040415
descr	: PROVIDER Local Registry
country	: ES
---------------------------
ip : 95.132.201.163
access count : 1, rank : 50
netname	: UKRTELNET
descr	: Ukrtelecom IP  network
country	: ua
---------------------------
ip : 79.234.26.90
access count : 1, rank : 51
netname	: DTAG-DIAL24
descr	: Deutsche Telekom AG
country	: DE
---------------------------
ip : 118.156.206.104
access count : 1, rank : 52
netname	: KDDI
descr	: KDDI CORPORATION
country	: JP
---------------------------
ip : 71.77.14.235
access count : 1, rank : 53
orgname	: Road Runner HoldCo LLC
netname	: RRMA
country	: US
---------------------------
ip : 84.131.61.33
access count : 1, rank : 54
netname	: DTAG-DIAL19
descr	: Deutsche Telekom AG
country	: DE
---------------------------
ip : 89.215.86.234
access count : 1, rank : 55
netname	: GIGABITNET
descr	: Gigabit Net
country	: BG
---------------------------
ip : 123.204.194.226
access count : 1, rank : 56
netname	: SEEDNET-NET
descr	: Digital United Inc.
country	: TW
---------------------------
ip : 202.28.25.7
access count : 1, rank : 57
netname	: THAINET-TH
descr	: UniNet(Inter-university network)
country	: TH
---------------------------
ip : 41.97.163.60
access count : 1, rank : 58
orgname	: African Network Information Center
netname	: NET41
country	: MU
---------------------------
ip : 24.185.21.194
access count : 1, rank : 59
---------------------------
ip : 114.24.170.29
access count : 1, rank : 60
netname	: HINET-NET
descr	: CHTD, Chunghwa Telecom Co.,Ltd.
country	: TW
---------------------------
ip : 88.195.141.136
access count : 1, rank : 61
netname	: SONERA-FINLAND-BBNET
descr	: Broadband access pool
country	: FI
---------------------------
ip : 190.172.81.242
access count : 1, rank : 62
orgname	: Latin American and Caribbean IP address Regional Registry
netname	: NET190
country	: UY
---------------------------
ip : 98.197.178.199
access count : 1, rank : 63
---------------------------
ip : 76.8.182.14
access count : 1, rank : 64
orgname	: Mikrotec Internet Services, Inc.
netname	: MISNET
country	: US
---------------------------
ip : 189.104.107.206
access count : 1, rank : 65
orgname	: Latin American and Caribbean IP address Regional Registry
netname	: NET189
country	: UY
---------------------------
ip : 91.109.71.128
access count : 1, rank : 66
netname	: OUK-LLU22-18
descr	: Range2 Manchester /18
country	: GB
---------------------------
ip : 71.71.6.19
access count : 1, rank : 67
orgname	: Road Runner HoldCo LLC
netname	: RRMA
country	: US
---------------------------
ip : 82.105.15.163
access count : 1, rank : 68
netname	: TIWS-SMART-3
descr	: Telecom Italia S.p.A.
country	: IT
---------------------------
ip : 77.160.21.36
access count : 1, rank : 69
netname	: NL-PMG-ADSL
descr	: ADSL37
country	: NL
---------------------------
ip : 92.118.95.86
access count : 1, rank : 70
netname	: ON-TELECOMS-NET
descr	: IP addresses for ON customers
country	: GR
---------------------------
ip : 62.150.95.185
access count : 1, rank : 71
netname	: KW-MOC-20000926
descr	: QualityNet General Trading & Contracting Co.
country	: KW
---------------------------
ip : 114.47.1.36
access count : 1, rank : 72
netname	: HINET-NET
descr	: CHTD, Chunghwa Telecom Co.,Ltd.
country	: TW
---------------------------
ip : 93.39.113.141
access count : 1, rank : 73
netname	: FASTWEB-DPPU
descr	: Infrastructure for Fastwebs main location
country	: IT
---------------------------
ip : 41.234.182.59
access count : 1, rank : 74
orgname	: African Network Information Center
netname	: NET41
country	: MU
---------------------------
ip : 24.131.145.99
access count : 1, rank : 75
---------------------------
ip : 125.230.96.67
access count : 1, rank : 76
netname	: HINET-NET
descr	: CHTD, Chunghwa Telecom Co.,Ltd.
country	: TW
---------------------------
ip : 87.127.170.17
access count : 1, rank : 77
netname	: ENTANET-84635-ADSL
descr	: Entanet Customer
country	: GB
---------------------------
ip : 60.198.85.221
access count : 1, rank : 78
netname	: TFN-NET
descr	: Taiwan Fixed Network CO.,LTD.
country	: TW
---------------------------
ip : 211.18.117.156
access count : 1, rank : 79
---------------------------
ip : 115.163.184.50
access count : 1, rank : 80
netname	: So-net
descr	: So-net Entertainment Corporation
country	: JP
---------------------------
ip : 85.229.65.60
access count : 1, rank : 81
netname	: B2-BISP
descr	: B2 customers in bor1
country	: SE
---------------------------
ip : 60.241.227.184
access count : 1, rank : 82
netname	: TPG-AU
descr	: TPG Internet Pty Ltd.
country	: AU

コメントを残す