Detect bots with bash/shell [duplicate]

This question is an exact duplicate of:

i should parse some log file to detect bots.
I have two tasks:
– user has made auth in, user changed password, user has made auth of within same second
– actions (has made auth in, change, has made auth off) happend one after another
This log:

Friday, 10 October 2012 13:15:39 +0300|192.168.110.5|rock| - |user has made auth in| -
Friday, 10 October 2012 13:15:39 +0300|192.168.110.5|rock| - |user has changed password| -
Friday, 10 October 2012 13:15:39 +0300|192.168.110.5|rock| - |user has made auth off| -
Friday, 10 October 2012 13:15:42 +0300|192.168.110.5|hogan| - |user has made auth in| -
Friday, 10 October 2012 13:15:49 +0300|172.16.170.180|cena| - |user has made auth in| -
Friday, 10 October 2012 13:15:49 +0300|172.16.170.180|cena| - |user has changed password| -
Friday, 10 October 2012 13:15:49 +0300|172.16.170.180|cena| - |user has made auth off| -
Friday, 10 October 2012 13:15:59 +0300|192.168.107.1|master| - |user has made auth in| -
Friday, 10 October 2012 13:15:59 +0300|192.168.107.1|master| - |user has made auth in| -
Friday, 10 October 2012 13:15:59 +0300|192.168.107.1|master| - |user has changed password| -
Friday, 10 October 2012 13:15:59 +0300|192.168.107.1|master| - |user has made auth off| -
Friday, 10 October 2012 13:17:50 +0300|192.168.107.1|cmpunk| - |user has made auth in| -
Friday, 10 October 2012 13:17:50 +0300|192.168.107.1|cmpunk| - |user has changed password| -
Friday, 10 October 2012 13:17:50 +0300|192.168.107.1|cmpunk| - |user has changed profile| -
Friday, 10 October 2012 13:17:50 +0300|192.168.107.1|cmpunk| - |user has made auth off| -
Friday, 10 October 2012 13:19:19 +0300|10.10.10.25|ziggler| - |user has made auth in| -
Friday, 10 October 2012 13:19:19 +0300|10.10.10.25|ziggler| - |user has changed password| -
Friday, 10 October 2012 13:19:19 +0300|10.10.10.25|ziggler| - |user has made auth off| -
Friday, 10 October 2012 13:20:42 +0300|178.57.67.225|vince| - |user has made auth in| -

I have made that:

#!/bin/bash

log=/root/auth.log
temp=/root/log.temp
result=/root/bots.result

cat /dev/null > $temp
cat /dev/null > $result

cat $log | awk '{print $6}' | awk -F "|" '{print $2}' | tail -n 10 > $temp

for i in `uniq -c $temp | awk '{print $1}'`; do
if [ $i -gt 4 ]; then
a=`uniq -c $temp | awk '$1 == '$i`
echo "This is a boy: $a" >> $result
fi
done

In a result, we will have IP with count, that more than 4. But it not right. The bot do auth, change password & log out in the same time. For example, look at first 3 lines in my log. Time, when bot made auth, changed password & logged out is the same time. 13:15:39. From this conditions, i have understood, That a boot is user with name “rock”. How to do this, i don’t have any thoughts. Thanks for your attention.

Related:


Leave a Reply