Part of my job is helping our system administrators respond to attacks against our web properties. These can include SQL injection, password cracking, and fraudulent account registrations, among others.

One of the fingerprints of these three types of activity is the repetitive nature of the attack. Attackers are greedy, generally wanting to get in, do the work, then get out, so they are often noisy in doing so. This activity stands out, but since it's mixed in with legitimate traffic, it's sometimes difficult to weed out the good traffic from the bad.

So, I use a script to find these top talkers, the noisy abusers who are hitting our sites to do badness.

$ top_talkers.sh access_log
KEY: 63.7.190.134 Count: 3942
KEY: 54.15.88.41 Count: 294
KEY: 227.9.112.155 Count: 155
KEY: 212.49.27.32 Count: 122
KEY: 129.94.7.56 Count: 111

In this example, it's easy to see that 63.7.190.134 is doing a lot more account registrations than other users, so that's where we'll start our investigation. These are, of course, bogus IP addresses.

The script is simple. It collects loglines matching a pattern, then counts, in this example, the IP addresses that hit a certain page, 'registerAcct.jsp'.

The script is small, something I can drop into /var/tmp/ and run as needed.

Modify line 27, GREP_FILTER, to suit your needs. Widen your search by increasing line 20, LOG_LINES. I keep the number low for active attacks so that it runs quickly.

Download the script here.