Created
May 5, 2014 02:22
-
-
Save bo67192/f92b2043afdcfbb38aa8 to your computer and use it in GitHub Desktop.
Script to search for Heartbleed session hijacks in a VPN Log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class SessionParser { | |
| static void main(String[] args) { | |
| def users = [:] | |
| def records = new File(/vpn.txt/) // VPN log file | |
| records.eachLine {record -> | |
| if (record ==~ /.*Full_Tunnel.*/) { // Use this regex to catch lines you know will be interesting | |
| def userMatcher = record =~ /userName/ // Write a regex to catch the username | |
| def user = userMatcher[0][1] | |
| def ipMatcher = record =~ /- \[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]/ // To catch the IP address in the log | |
| def ip = ipMatcher[0][1] | |
| def dateMatcher = record =~ /(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})/ // Grab the date | |
| def date = dateMatcher[0][1] | |
| if(!users[user]) { // Check if you have an entry in the table for the current user or not | |
| users[user] = [ip, date, record] // Create an entry for the user | |
| } else if (users[user][0] != ip) { // If we have an entry, but the IP addresses don't match | |
| println("$user,${users[user][1]},${users[user][0]},${users[user][2]}") // Print that there's something quirky going on | |
| println("$user,$date,$ip,$record") | |
| users[user] = [ip, date, record] // Update the entry to the new IP | |
| } else if (users[user][0] == ip) { | |
| users[user][2] = record // If the IPs match, set the most recent log to the current one | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment