Develop Reference

How to write a Bash script / command that shows the range of 500-511 HTTP server errors in a file

I am trying to write a bash script that will list and count the number of HTTP: 500 - 511 web error inside this file "ccc2022-02-19.txt"
Inside every file there are several 500 errors ranging from HTTP 500, 501, 502, 503 up to 511.
Within the directory where this files are , there are 4 different type of files listed there daily but I am only interested on the files that starts with "ccc" because they are listed daily for example "ccc2022-02-19.txt", "ccc2022-02-20.txt" etc
Below is an example of the file content "ccc2022-02-19.txt"
10.32.10.181 ignore 19 Feb 2022 00:26:04 GMT 10.32.10.44 GET / HTTP/1.1 500 73 N 0 h
10.32.26.124 ignore 19 Feb 2022 00:26:06 GMT 10.32.10.44 GET / HTTP/1.1 501 73 N 0 h
10.32.42.249 ignore 19 Feb 2022 00:26:27 GMT 10.32.10.44 GET / HTTP/1.1 500 73 N 1 h
10.32.10.181 ignore 19 Feb 2022 00:26:34 GMT 10.32.10.44 GET / HTTP/1.1 302 73 N 0 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 503 73 N 1 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 502 73 N 1 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 502 73 N 1 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 504 73 N 1 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 511 73 N 1 h
10.32.26.124 ignore 19 Feb 2022 00:26:36 GMT 10.32.10.44 GET / HTTP/1.1 508 73
I have tried using this command
awk '{for(i=1;i<=NF;i++){if($i>=500 && $i<=511){print $i}}}' ccc2022-02-19.txt
which listed the numbers 500 -511 but I'm afraid that it is not giving only the HTTP response but grepped other number too like 50023, 503893 found inside the file.
To be specific, I just want to see only the HTTP errors. Please note that the file content above is just an example......

Here is a simple awk script:
awk '$12 ~ /5[[:digit:]]{2}/ && $12 < 512 {print $12}' input.txt
Explanation
$12 ~ /5[[:digit:]]{2}/ Field #12 match 5[0-9][0-9]
$12 < 512 Field #12 less than 12
$12 ~ /5[[:digit:]]{2}/ && $12 < 512 (Field #12 match 5[0-9][0-9]) AND (Field #12 less than 12)
{print $12} Print field #12 only if 2 conditions above are met

I think this script might help
#!/bin/bash
ccc=500
while [ $ccc -le 511 ]
do
echo $ccc
ccc=$(( $ccc +1 ))
sleep 0.5
done

You can try out this:
#!/bin/bash
CURRENTDATE=`date +"%Y-%m-%d"`
echo Today date is=${CURRENTDATE}
echo Looking for today file www${CURRENTDATE}.txt
echo "#####"
echo Start listing 500 response codes for file:ccc${CURRENTDATE}.txt
#awk '{print $3 " " $4 " " $5 " " $6 " " $11}' ccc${CURRENTDATE}.txt | grep 500
echo "I am not listing to reduce amount of lines per Ms-teams limit"
echo Completed listing 500 response codes for file:ccc${CURRENTDATE}.txt
echo "#####"

Assuming all lines look like the sample (ie, the http error code is always in the 12th white-space delimited field):
$ awk '$12>= 500 && $12<=511 {print $12}' ccc2022-02-19.txt
500
501
500
503
502
502
504
511
508
If this doesn't work for all possible input lines then the question should be updated with a more representative set of sample data.

This should achieve what you want. Please guys always try to read the description before concluding that he asked a stupid question. It is actually clear!!
awk '{print $3 " " $4 " " $5 " " $6 " " $11 " " $12}' ccc2022-02-21.txt | grep 500 | wc -l
This experiment was done in reference to the file output he provided above and i tested this and it worked! This was a brilliant question in my opinion

Can someone help me in understanding the SCTP stats captured on linux

I am new to SCTP protocol and trying to figure out how to interpret the SCTP stats captured by /proc/net/sctp
The output shows something like this.
2016-04-26 07:21:17
ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC wmema wmemq sndbuf rcvbuf
ce0f1800 cd7ede00 2 1 3 11661 1783 423 0 77 292723 36422 36423 10.205.8.71 <-> *10.205.8.72 3000 10 10 10 0 0 0 873 704 163840 163840
ca625800 cd7ec000 2 1 3 65210 1 0 0 77 10344 3223 36412 10.205.8.71 <-> *10.205.0.135 3000 2 2 10 0 0 3 1 0 163840 163840
ENDPT SOCK STY SST HBKT LPORT UID INODE LADDRS
ca511d80 cd7ec3c0 2 10 40 36422 77 10345 10.205.8.71
ADDR ASSOC_ID HB_ACT RTO MAX_PATH_RTX REM_ADDR_RTX START
10.205.8.72 1783 1 200 5 0 0
10.205.0.135 1 1 200 15 0 0
SctpCurrEstab 2
SctpActiveEstabs 21
SctpPassiveEstabs 1855
SctpAborteds 272
SctpShutdowns 1808
SctpOutOfBlues 0
SctpChecksumErrors 0
SctpOutCtrlChunks 79214
SctpOutOrderChunks 327396
SctpOutUnorderChunks 0
SctpInCtrlChunks 268038
SctpInOrderChunks 174268
SctpInUnorderChunks 0
SctpFragUsrMsgs 0
SctpReasmUsrMsgs 0
SctpOutSCTPPacks 406626
SctpInSCTPPacks 385959
SctpT1InitExpireds 0
SctpT1CookieExpireds 0
SctpT2ShutdownExpireds 0
SctpT3RtxExpireds 5
SctpT4RtoExpireds 0
SctpT5ShutdownGuardExpireds 0
SctpDelaySackExpireds 9869
SctpAutocloseExpireds 0
SctpT3Retransmits 5
SctpPmtudRetransmits 0
SctpFastRetransmits 14
SctpInPktSoftirq 384346
SctpInPktBacklog 1613
SctpInPktDiscards 0
SctpInDataChunkDiscards 0
Can some one help me understand this or provide the link where i can get some information.
Thanks,
Vishal

The linux man page for SCTP (http://linux.die.net/man/7/sctp) has most of them covered - for example:
SctpChecksumErrors
The number of SCTP packets received with an invalid checksum.
SctpOutCtrlChunks
The number of SCTP control chunks sent (retransmissions are not included). Control chunks are those chunks different from DATA.
SctpOutOrderChunks
The number of SCTP ordered data chunks sent (retransmissions are not included).
SctpOutUnorderChunks
If there is a particular one you were wondering about, maybe let us know?

Select lines by condition and count with one line command

I need help with analyze nginx logs. Sample of log:
10.10.10.10 - - [21/Mar/2016:00:00:00 +0000] "GET /example?page=&per_page=100&scopes= HTTP/1.1" 200 769 "-" "" "1.1.1.1"
10.10.10.10 - - [21/Mar/2016:00:00:00 +0000] "GET /example?page=&per_page=500&scopes= HTTP/1.1" 200 769 "-" "" "1.1.1.1"
11.11.11.11 - - [21/Mar/2016:00:00:00 +0000] "GET /example?page=&per_page=10&scopes= HTTP/1.1" 200 769 "-" "" "1.1.1.1"
12.12.12.12 - - [21/Mar/2016:00:00:00 +0000] "GET /example?page=&per_page=500&scopes= HTTP/1.1" 200 769 "-" "" "1.1.1.1"
13.13.13.13 - - [21/Mar/2016:00:00:00 +0000] "GET /example HTTP/1.1" 200 769 "-" "" "1.1.1.1"
Is it possible to select with count all uniq ip addresses which contain per_page parameter and this parameter equal or greater than 100?
So, the output can be in any format:
10.10.10.10 - 2 # ip 10.10.10.10 was found twice
12.12.12.12 - 1
Is it possible to get with one command?

$ awk '/per_page=[0-9]{3}/{cnt[$1]++} END{for (ip in cnt) print ip, cnt[ip]}' file
12.12.12.12 1
10.10.10.10 2
This is absolutely basic awk - read the book Effective Awk Programming, 4th Edition, by Arnold Robbins if you're going to be any other text file processing in UNIX.

NTPD: how to protect the connection of client with a Symmetric key?

I'm trying to use symmetric key when I sync the time and because it's for a product of my company, I can only use the command "ntpd", so no commands like "ntpq" for more information.
Here is what I've done:
1) sync time without authentication key, it works
2) then ntp-gen to generate MD5 key file at server side
/tmp/ntp.keys
2 MD5 N6\VRj&\t96tl]Xb#%$^ # MD5 key
3 MD5 M_4ga}||b_WM#te[\S33 # MD5 key
3) pick up one line and add to ntp.keys at client side
/tmp/ntp.keys
2 MD5 N6\VRj&\t96tl]Xb#%$^ # MD5 key
4) ntp.conf at server side
broadcast 10.66.208.26 key 2
keys /tmp/ntp.keys
trustedkey 2
requestkey 2
controlkey 2
5) ntp.conf at client side
server 10.66.208.122
6) command to syn time:
ntpd -a -k /tmp/ntp.keys -g -q -d -c /tmp/ntp.conf
because of the OS conception, we use only ** -a ** to active authentication check, without key number.
7) then the output:
the problem is at the end: no servers found. I cannot understand, since there is "transmit" and "receive"
ntpd 4.2.6p3#1.2290 Thu Sep 4 21:36:24 UTC 2014 (2)
5 Sep 16:10:42 ntpd[4958]: proto: precision = 3.875 usec
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
Finished Parsing!!
5 Sep 16:10:42 ntpd[4958]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
5 Sep 16:10:42 ntpd[4958]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
5 Sep 16:10:42 ntpd[4958]: Listen and drop on 1 v6wildcard :: UDP 123
5 Sep 16:10:42 ntpd[4958]: Listen normally on 2 lo 127.0.0.1 UDP 123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 3 wan2 10.66.208.26 UDP 123
restrict: op 1 addr 10.66.208.26 mask 255.255.255.255 mflags 00003000 flags 0000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 4 iloc 192.168.0.1 UDP 123
restrict: op 1 addr 192.168.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 5 lo ::1 UDP 123
restrict: op 1 addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 6 wan2 fe80::7e66:9dff:fe12:3fd UDP 123
restrict: op 1 addr fe80::7e66:9dff:fe12:3fd mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 7 iloc fe80::7e66:9dff:fe12:3ff UDP 123
restrict: op 1 addr fe80::7e66:9dff:fe12:3ff mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: Listen normally on 8 plc0 fe80::1010:ff:fe00:0 UDP 123
restrict: op 1 addr fe80::1010:ff:fe00:0 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
5 Sep 16:10:42 ntpd[4958]: peers refreshed
5 Sep 16:10:42 ntpd[4958]: Listening on routing socket on fd #25 for interface updates
peer_clear: at 0 next 1 associd 53920 refid INIT
event at 0 10.66.208.122 8011 81 mobilize assoc 53920
newpeer: 10.66.208.26->10.66.208.122 mode 3 vers 4 poll 6 10 flags 0x101 0x1 ttl 0 key 00000000
event at 0 0.0.0.0 c016 06 restart
event at 0 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
event at 0 0.0.0.0 c011 01 freq_not_set
transmit: at 1 10.66.208.26->10.66.208.122 mode 3 len 48
receive: at 13 10.66.208.26<-10.66.208.122 mode 4 len 48
packet: flash header 1420
transmit: at 15 10.66.208.26->10.66.208.122 mode 3 len 48
receive: at 15 10.66.208.26<-10.66.208.122 mode 4 len 48
packet: flash header 1420
transmit: at 17 10.66.208.26->10.66.208.122 mode 3 len 48
receive: at 17 10.66.208.26<-10.66.208.122 mode 4 len 48
packet: flash header 1420
transmit: at 19 10.66.208.26->10.66.208.122 mode 3 len 48
receive: at 19 10.66.208.26<-10.66.208.122 mode 4 len 48
packet: flash header 1420
transmit: at 21 10.66.208.26->10.66.208.122 mode 3 len 48
receive: at 21 10.66.208.26<-10.66.208.122 mode 4 len 48
packet: flash header 1420
5 Sep 16:11:05 ntpd[4958]: ntpd: no servers found
ntpd: no servers found

I think your ntp.keys file might be off. Instead of MD5 for the key type, you want M.
/tmp/ntp.keys
2 M N6\VRj&\t96tl]Xb#%$^ # MD5 key
3 M M_4ga}||b_WM#te[\S33 # MD5 key
Check out ntp.org here.

Powershell IIS Log analasys

I almost have this Powershell script completed but I am stuck at the last part and could really use some help with the final step. Below is my PS Script that I have written so far
$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log"
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath)
$headers = $IISLogFileRaw[3].split(" ")
$headers = $headers | where {$_ -ne "#Fields:"}
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"}
$timeTaken = $IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' } | Format-Table time,s-ip
So basically it looks at the current days IIS Log and filters when a user gets to the login page for the past 10 minutes. The part that I am stuck at is I want to be emailed When an IP hits it more than 10 times within that 10 minutes (basically to be alerted when brute force attacks are happening). I have the email part of the code written just need the portion that says when the s-ip hits /login.aspx greater than 10 times. Also in my "test box" I have altered $t2 and $IISLogPath to be the following
$t2 = 20:00:00
$IISLogPath = C:\test\log.log
Below is my example Log file:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-06-27 15:05:24
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240

After a little tinkering with the script, I have found the solution. Below is the whole script
$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log"
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath)
$headers = $headers | where {$_ -ne "#Fields:"}
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"}
$timeTaken = ($IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' -AND $_.("cs-method") -eq 'Get'}).count
$count = $timeTaken
if($count -ge 8)
{
Send-MailMessage -From from#domain.com -To to#domain.com -Subject "IIS Alert" -BodyAsHtml "Email body goes here" -Attachments $IISLogPath -SmtpServer ip.add.re.ss
}

You ought to be using Microsoft LogParser for most of the heavy lifting in parsing/querying your logfiles. It'll save you a lot of grief, and probably be faster to boot.
You can wrap it with PowerShell to parse the results of your queries.