The power of Awk

Recently I've been busy with analyzing results of Challenge 5 of the Honeynet Forensic Challenge. The winner has written nice script for analyzing auth.log file. The script is written in Python and can be found here. I decided to implement such script in Awk. It turned out tha Awk is perfectly suited to this kind of work, here's the script:

cat auth.log | awk '

    $0 !~ /sshd/ {next};

    {ip=$11};

    /invalid/ {ip=$13};

    /Failed/ {

        Fails[ip] += 1;

        if(Fails[ip] == 1)

            StartTime[ip] = $1 " " $2 " " $3;

        EndTime[ip] = $1 " " $2 " " $3;

    };

    /Accepted/ {

        if(Fails[ip] > 0) {

            Accepts[ip] += 1;

            Details[ip] = sprintf("%s %s %s\n", Details[ip], $1 " " $2 " " $3, $9);

        }

    };

    END {

        for(key in Fails) {

            if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) {

                print "Attacker IP: " key

                print "Start time: " StartTime[key]

                print "End time: " EndTime[key]

                print "Login attempts: " Fails[key]

                if(Accepts[key] > 0) {

                    print "Successfull attempts: " Accepts[key];

                    print Details[key];

                }

                printf "\n"

            }

        }

    }'

About 26 lines of code as opposed to 136 lines of Python version!

And here's one-liner (shorter but less verbose) version of the script:

 $ cat auth.log | awk '$0 !~ /sshd/ {next}; {ip=$11}; /invalid/ {ip=$13}; /Failed/ {Fails[ip] += 1 }; /Accepted/ {if(Fails[ip] > 0) Accepts[ip] += 1 }; END { for(key in Fails) {if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) print key": "Fails[key] "\t Successes: " Accepts[key]} }'