Last active
August 29, 2015 14:18
-
-
Save alleck/273690dd738deb03ee04 to your computer and use it in GitHub Desktop.
Batch: Find High Traffic Connections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: Author: Kaleb Lewis (Alleck) | |
| :: Purpose: Find High Traffic Connections | |
| :: OS: Windows/DOS | |
| :: Language: Batch (.bat) | |
| @ECHO off | |
| :: Set the threshold at which you want events to trigger. | |
| SET threshold=100 | |
| SET attacked=300 | |
| :: Clear the log files that are used for data. | |
| DEL netstat.log | |
| DEL netstatUniq.log | |
| :: Read output of the 2nd column of NETSTAT line by line into netstat.log. | |
| FOR /F "tokens=2 delims=: " %%a IN ('netstat -anp TCP') DO ( | |
| ECHO %%a >> netstat.log | |
| ) | |
| :: Get the unique IPs being accessed and save them to netstatUniq.log. | |
| SET "prev=" | |
| FOR /F "delims=" %%f in ('sort netstat.log') DO ( | |
| SET "curr=%%f" | |
| SETLOCAL enabledelayedexpansion | |
| IF !prev! NEQ !curr! ECHO !curr! >> netstatUniq.log | |
| ENDLOCAL | |
| SET "prev=%%f" | |
| ) | |
| FINDSTR /b /v /c:"10.10" netstatUniq.log > netstatUniqSorted.log | |
| :: For each unique IP in netstatUniq.log, count how many times it is being accessed. | |
| FOR /F "delims=" %%x IN (netstatUniqSorted.log) DO ( | |
| FOR /F "delims=" %%z IN ('findstr /R /N "%%x" netstat.log ^| find /C ":"') DO ( | |
| IF %%z GTR %threshold% ( | |
| ECHO %%x has HIGH traffic of %%z | |
| IF %%z GTR %attacked% ECHO %%x is being attacked with %%z connections >> Attacked.log | |
| ) | |
| ) | |
| ) | |
| PAUSE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment