I get the same result with wch1zpink’s script, which I believe arises from an inconsistent number of spaces before the IP address in the text in post 19. For example:
set lineOne to "[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Wednesday, September 22, 2021 23:33:56"
set theResult to do shell script "echo " & quoted form of lineOne & " | cut -d' ' -f7"
--> 95.217.31.46,
set lineTwo to "[DoS Attack: Xmas Tress Scan] from source: 119.90.42.87, port 52921, Wednesday, September 22, 2021 23:21:25"
set theResult to do shell script "echo " & quoted form of lineTwo & " | cut -d' ' -f7"
--> source:
The problem is masked in part by the uniq command. Also, it appears that the text in post 1 has a consistent number of spaces before the IP address, which may explain the differing results.
property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source' | sort -n | uniq"
on open of theFiles -- Handles single or multiple dropped files
repeat with aFile in theFiles
tell application "Finder" to set sourceFilePath to container of aFile as alias
set cleanedText to do shell script "cat " & ¬
quoted form of POSIX path of aFile & stripText
do shell script "echo " & quoted form of cleanedText & " >> " & ¬
quoted form of POSIX path of sourceFilePath & "Cleaned_IPs.txt"
do shell script "sort -n | uniq " & quoted form of ¬
POSIX path of sourceFilePath & "Cleaned_IPs.txt" & ¬
" | pbcopy -pboard ruler ; pbpaste -pboard ruler > " & ¬
quoted form of POSIX path of sourceFilePath & "Cleaned_IPs.txt"
end repeat
end open
I only have a passing familiarity with regex and no experience with its use with ASObjC, and I thought writing a script utilizing these might be a good learning experience. The timing test result was 65 milliseconds, which is only respectable, but the script should be reliable. The basic ASObjC regex code was from Shane’s book.
use framework "Foundation"
use scripting additions
on open theDroppedItems
set theFile to POSIX path of item 1 of theDroppedItems
set theIPFile to getFileName(theFile)
set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
set theIPData to getIPData(theText)
(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open
on getIPData(theText)
set regExPattern to "(\\d{1,3}\\.){3}\\d{1,3}"
set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
set ipList to {}
repeat with anItem in regExMatches
set end of ipList to (theText's substringWithRange:(anItem's range())) as text
end repeat
set ipSet to current application's NSOrderedSet's orderedSetWithArray:ipList
set ipSortedArray to ipSet's array()'s sortedArrayUsingSelector:"localizedStandardCompare:"
return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData
on getFileName(theFile)
set theFile to current application's NSString's stringWithString:theFile
set fileBase to theFile's stringByDeletingPathExtension()
set fileExtension to theFile's pathExtension()
return ((fileBase's stringByAppendingString:"_IP")'s stringByAppendingPathExtension:fileExtension)
end getFileName
property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source'"
property logFileName : "Logged IPs.txt"
on open of theFiles -- Handles single or multiple dropped files
set oldClipboard to the clipboard
repeat with aFile in theFiles
tell application "Finder" to set sourceFilePath to container of aFile as alias
set cleanedText to do shell script "cat " & ¬
quoted form of POSIX path of aFile & stripText
do shell script "echo -n " & quoted form of cleanedText & " >> " & ¬
quoted form of POSIX path of sourceFilePath & quoted form of logFileName
end repeat
set AppleScript's text item delimiters to linefeed
set theContentWords to words of ¬
(read POSIX path of sourceFilePath & logFileName) as text
set the clipboard to theContentWords
do shell script "pbpaste | sort -n | uniq > " & ¬
quoted form of POSIX path of sourceFilePath & quoted form of logFileName
set the clipboard to oldClipboard
end open
As per previous post, I’ve been on holiday. Just tried this out on:
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 23:54:51
[DoS Attack: SYN/ACK Scan] from source: 213.5.229.18, port 3306, Saturday, September 25, 2021 23:14:09
[DoS Attack: SYN/ACK Scan] from source: 23.234.229.19, port 80, Saturday, September 25, 2021 23:06:51
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 23:04:37
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 23:04:35
[DoS Attack: SYN/ACK Scan] from source: 35.186.220.63, port 80, Saturday, September 25, 2021 22:48:11
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 22:40:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 22:04:26
[DoS Attack: SYN/ACK Scan] from source: 104.82.149.182, port 443, Saturday, September 25, 2021 21:31:44
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 21:04:35
[DoS Attack: SYN/ACK Scan] from source: 213.186.33.2, port 443, Saturday, September 25, 2021 21:03:42
[DoS Attack: RST Scan] from source: 177.234.152.194, port 7172, Saturday, September 25, 2021 20:40:06
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 20:37:54
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 20:32:18
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 20:21:40
[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 39702, Saturday, September 25, 2021 20:13:36
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 20:02:23
[DoS Attack: SYN/ACK Scan] from source: 198.23.200.243, port 80, Saturday, September 25, 2021 19:55:25
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 19:54:22
[DoS Attack: SYN/ACK Scan] from source: 23.234.229.19, port 80, Saturday, September 25, 2021 19:22:39
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 19:13:39
[DoS Attack: SYN/ACK Scan] from source: 204.74.99.100, port 80, Saturday, September 25, 2021 19:11:08
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 19:08:48
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 19:00:24
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:43:43
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:40:48
[DoS Attack: RST Scan] from source: 52.113.194.133, port 80, Saturday, September 25, 2021 18:38:02
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:36:19
[DoS Attack: SYN/ACK Scan] from source: 2.16.75.200, port 443, Saturday, September 25, 2021 18:35:17
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:30:39
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:28:35
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 18:21:14
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:13:02
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:07:35
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 17:58:44
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 17:44:24
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 17:38:10
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 17:26:02
[DoS Attack: SYN/ACK Scan] from source: 95.217.83.105, port 25565, Saturday, September 25, 2021 17:20:48
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 17:07:14
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:40:03
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:39:38
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:39:31
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:39:20
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 16:36:36
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:29:50
[DoS Attack: ACK Scan] from source: 45.85.218.56, port 80, Saturday, September 25, 2021 16:20:26
[DoS Attack: ACK Scan] from source: 45.85.218.56, port 80, Saturday, September 25, 2021 16:20:20
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 16:12:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:09:27
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 15:24:34
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 14:57:55
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 14:04:37
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 13:44:11
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 13:11:19
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 12:48:06
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 12:11:35
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 11:54:58
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 10:54:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 10:54:03
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 10:40:16
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 10:32:38
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 10:28:51
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 09:46:08
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 09:13:35
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 09:08:57
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 08:56:27
[DoS Attack: UDP Port Scan] from source: 103.145.13.56, port 5261, Saturday, September 25, 2021 08:36:32
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 08:29:44
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 08:23:29
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 08:05:04
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 07:50:01
[DoS Attack: SYN/ACK Scan] from source: 104.21.192.109, port 80, Saturday, September 25, 2021 07:48:14
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 07:16:36
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.77, port 54424, Saturday, September 25, 2021 07:05:27
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 06:59:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 06:52:48
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 06:42:45
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 06:37:06
[DoS Attack: RST Scan] from source: 204.79.197.222, port 80, Saturday, September 25, 2021 06:32:15
[DoS Attack: SYN/ACK Scan] from source: 204.79.197.222, port 80, Saturday, September 25, 2021 06:32:12
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 06:23:17
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 05:46:50
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 05:40:09
[DoS Attack: UDP Port Scan] from source: 111.40.50.89, port 17075, Saturday, September 25, 2021 05:24:32
[DoS Attack: UDP Port Scan] from source: 111.40.50.89, port 15957, Saturday, September 25, 2021 05:24:31
[DoS Attack: RST Scan] from source: 139.59.228.97, port 80, Saturday, September 25, 2021 05:14:42
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 04:57:56
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 04:33:30
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 04:05:57
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 03:30:20
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 03:23:12
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 02:40:43
[DoS Attack: SYN/ACK Scan] from source: 144.172.73.16, port 22, Saturday, September 25, 2021 01:39:05
[DoS Attack: SYN/ACK Scan] from source: 144.172.73.16, port 22, Saturday, September 25, 2021 01:36:07
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 01:31:12
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:24:03
[DoS Attack: SYN/ACK Scan] from source: 54.36.218.102, port 22, Saturday, September 25, 2021 01:21:43
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:21:37
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 01:17:34
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:13:03
[DoS Attack: SYN/ACK Scan] from source: 88.99.208.125, port 25565, Saturday, September 25, 2021 01:12:17
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 01:05:32
[DoS Attack: SYN/ACK Scan] from source: 134.255.220.82, port 30120, Saturday, September 25, 2021 00:41:11
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 00:34:05
[DoS Attack: SYN/ACK Scan] from source: 93.114.82.3, port 13901, Saturday, September 25, 2021 00:27:37
[DoS Attack: SYN/ACK Scan] from source: 185.19.216.119, port 8081, Saturday, September 25, 2021 00:26:52
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 00:24:40
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Saturday, September 25, 2021 00:16:35
[DoS Attack: ACK Scan] from source: 84.53.169.133, port 443, Saturday, September 25, 2021 00:11:21
[DoS Attack: RST Scan] from source: 23.148.145.7, port 44086, Friday, September 24, 2021 23:57:06
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 23:52:19
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 23:52:18
[DoS Attack: RST Scan] from source: 216.250.254.67, port 43676, Friday, September 24, 2021 23:48:08
[DoS Attack: RST Scan] from source: 23.148.145.233, port 47220, Friday, September 24, 2021 23:40:56
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 23:24:19
[DoS Attack: RST Scan] from source: 216.250.254.67, port 41821, Friday, September 24, 2021 23:19:58
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 23:10:58
[DoS Attack: TCP/UDP Echo] from source: 141.212.123.208, port 45054, Friday, September 24, 2021 23:04:17
[DoS Attack: ACK Scan] from source: 146.0.16.243, port 80, Friday, September 24, 2021 22:33:16
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Friday, September 24, 2021 22:26:02
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 22:22:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 22:13:15
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Friday, September 24, 2021 22:04:41
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Friday, September 24, 2021 22:02:10
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 21:44:54
[DoS Attack: RST Scan] from source: 45.234.96.30, port 21674, Friday, September 24, 2021 20:35:06
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 20:26:29
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 20:04:23
[DoS Attack: SYN/ACK Scan] from source: 46.105.114.88, port 25565, Friday, September 24, 2021 19:48:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 19:46:03
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 19:20:10
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:59:23
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:50:45
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:50:13
[DoS Attack: ACK Scan] from source: 73.4.169.252, port 9000, Friday, September 24, 2021 18:44:58
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:42:36
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 18:38:06
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 18:23:07
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 18:12:08
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 17:54:05
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 17:41:24
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 17:31:45
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 17:31:05
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 17:18:46
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 17:02:44
[DoS Attack: SYN/ACK Scan] from source: 162.241.216.182, port 443, Friday, September 24, 2021 17:00:41
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 16:55:59
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 16:41:05
[DoS Attack: ACK Scan] from source: 73.4.169.252, port 9000, Friday, September 24, 2021 16:38:34
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 16:38:02
[DoS Attack: SYN/ACK Scan] from source: 178.254.210.57, port 80, Friday, September 24, 2021 16:36:34
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 16:26:07
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 15:58:49
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 15:54:37
[DoS Attack: TCP/UDP Chargen] from source: 176.126.175.215, port 58284, Friday, September 24, 2021 15:52:18
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:49:31
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:31:34
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 15:06:11
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:04:20
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 14:50:56
[DoS Attack: SYN/ACK Scan] from source: 167.233.9.51, port 80, Friday, September 24, 2021 14:48:54
[DoS Attack: RST Scan] from source: 34.120.67.236, port 443, Friday, September 24, 2021 14:45:21
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Friday, September 24, 2021 14:38:58
[DoS Attack: RST Scan] from source: 62.171.140.77, port 8000, Friday, September 24, 2021 14:37:36
[DoS Attack: ARP Attack] from source: 192.168.1.66, Friday, September 24, 2021 14:35:32
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:29
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:35:28
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:26
[DoS Attack: ARP Attack] from source: 192.168.1.66, Friday, September 24, 2021 14:35:25
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:24
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:23
[DoS Attack: ARP Attack] from source: 192.168.1.71, Friday, September 24, 2021 14:35:22
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:19
[DoS Attack: ARP Attack] from source: 169.254.141.163, Friday, September 24, 2021 14:35:14
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:13
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:12
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:11
[DoS Attack: ARP Attack] from source: 169.254.141.163, Friday, September 24, 2021 14:35:09
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:08
[DoS Attack: ARP Attack] from source: 192.168.1.74, Friday, September 24, 2021 14:35:04
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:04
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:53
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:52
[DoS Attack: ARP Attack] from source: 192.168.1.200, Friday, September 24, 2021 14:34:51
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:49
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:44
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:43
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:32
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:31
[DoS Attack: ARP Attack] from source: 192.168.1.250, Friday, September 24, 2021 14:34:30
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:24
[DoS Attack: ARP Attack] from source: 192.168.1.3, Friday, September 24, 2021 14:34:23
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:22
[DoS Attack: ARP Attack] from source: 192.168.1.200, Friday, September 24, 2021 14:34:21
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:19
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:18
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:11
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:10
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:09
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:08
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:04
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:34:02
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:01
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:34:00
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:33:59
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:33:56
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:33:54
[DoS Attack: ARP Attack] from source: 192.168.1.75, Friday, September 24, 2021 14:33:53
[DoS Attack: RST Scan] from source: 104.82.149.182, port 443, Friday, September 24, 2021 14:33:31
Worked great but left a stray ‘n’ on the first line of the output, i.e.
Just needed to remove the “-n” option from the “echo” command.
property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source'"
property logFileName : "Logged IPs.txt"
on open of theFiles -- Handles single or multiple dropped files
set oldClipboard to the clipboard
repeat with aFile in theFiles
tell application "Finder" to set sourceFilePath to container of aFile as alias
set cleanedText to do shell script "cat " & ¬
quoted form of POSIX path of aFile & stripText
do shell script "echo " & quoted form of cleanedText & " >> " & ¬
quoted form of POSIX path of sourceFilePath & quoted form of logFileName
end repeat
set AppleScript's text item delimiters to linefeed
set theContentWords to words of ¬
(read POSIX path of sourceFilePath & logFileName) as text
set the clipboard to theContentWords
do shell script "pbpaste | sort -n | uniq > " & ¬
quoted form of POSIX path of sourceFilePath & quoted form of logFileName
set the clipboard to oldClipboard
end open
I mentioned above that I’m learning regular expressions, so I had a look at Marc Anthony’s script for that reason. It correctly returns the IP addresses, but it appears to return every other number that contains 4 or more digits.
I rewrote the regular expression, and it seemed to work as desired. It was also the fastest of the working suggestions.
do shell script "echo " & my (read (choose file))'s quoted form & " | egrep -o '(\\d{1,3}\\.){3}\\d{1,3}' | sort -h | uniq >> " & ((path to desktop as text) & "IP.txt")'s POSIX path's quoted form
If you search for ‘regex ip address’ or stuff like that, you’ll find many pages that discuss this. While the regex used here works generally, it won’t exclude incorrect addresses (e.g. those with number sets > 255) but that doesn’t look like it would be an issue here and it is less complex than those that do incorporate that constraint.
I originally posted a correctly working regex, edited it to shorten the pattern, realized the error after supplemental testing, and changed it back shortly after. You captured the code in flux.
That’s a little surprising, as TIDs tend to be very speedy, but… woohoo! Chalk one one up for shell scripting.
I’m submitting the IP’s which are attacking and it is working well. However I’m told that some of them are duplicates of those already on the master list of IP’s. So would it be possible for the script to access another list of IPs and remove any that are already on that list?
Thanks in advance for any thoughts. Oh if it helps the preferred script I’m using is this one (as it avoids conflicts with Bitdefender):
use framework "Foundation"
use scripting additions
on open theDroppedItems
set theFile to POSIX path of item 1 of theDroppedItems
set theIPFile to getFileName(theFile)
set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
set theIPData to getIPData(theText)
(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open
on getIPData(theText)
set regExPattern to "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
set ipList to {}
repeat with anItem in regExMatches
set end of ipList to (theText's substringWithRange:(anItem's range())) as text
end repeat
set ipSet to current application's NSOrderedSet's orderedSetWithArray:ipList
set ipSortedArray to ipSet's array()'s sortedArrayUsingSelector:"localizedStandardCompare:"
return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData
on getFileName(theFile)
set theFile to current application's NSString's stringWithString:theFile
set fileBase to theFile's stringByDeletingPathExtension()
set fileExtension to theFile's pathExtension()
return ((fileBase's stringByAppendingString:"_IP_CLEANED")'s stringByAppendingPathExtension:fileExtension)
end getFileName
To do this, you’d better write the filtering results of each text not to some new file, but to the existing properties list (.plist) of your script (application). This will change the script itself a lot. There are enough users here who can help with this. I have no time now.
Other choice is: use one persistent text file for filtering results (that is, the name and location hard-coded). When dropping the unfiltered text file on your droplet, it should firstly read contents of persistent text file into the oldIPs list variable, then append only new non-duplicate IPs to oldIPs, then sort, then write the updated list back to the persistent text file. This will change the script itself a lot as well. I have no time now.
I think I misread what the second option was. The master (deny) IP list is not maintained by myself but a third party. That list is updated weekly (if not daily) with all the IPs that need to be blocked on a Synology (or similar) NAS.
What I’m now looking to do is to download the latest incarnation of that list and then process my IP list from my Orbi router, remove the duplicates and sort it (as we do now) and then open the third party deny list and remove any IP addresses which are already in the master deny list.
That way any IPs I submit are only those that are new and need including in the master list. This way the author of the master deny list does not have to check all my submissions manually where a great number may be duplicated. As an example last week I submitted 25 IPs for blocking and all 25 it turns out were already on the list.
dbrewood. I’ve modified my script to work as you want. The script prompts for the IP deny list, which seems a bit awkward, but the actual path can be placed in the script instead. The IP deny list has to be paragraph-separated text of IP addresses only. I tested the script and it worked without issue.
use framework "Foundation"
use scripting additions
on open theDroppedItems
set theFile to POSIX path of item 1 of theDroppedItems
set theExistingFile to POSIX path of (choose file)
set theIPFile to getFileName(theFile)
set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
set theExistingText to (current application's NSString's stringWithContentsOfFile:theExistingFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
set theIPData to getIPData(theText, theExistingText)
(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open
on getIPData(theText, theExistingText)
set regExPattern to "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
set ipSet to current application's NSMutableSet's new()
repeat with anItem in regExMatches
(ipSet's addObject:(theText's substringWithRange:(anItem's range())))
end repeat
set ipExistingArray to (theExistingText's componentsSeparatedByCharactersInSet:(current application's NSCharacterSet's newlineCharacterSet()))
set ipExistingSet to current application's NSSet's setWithArray:ipExistingArray
ipSet's minusSet:ipExistingSet
set ipSortedArray to ipSet's allObjects()'s sortedArrayUsingSelector:"localizedStandardCompare:"
return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData
on getFileName(theFile)
set theFile to current application's NSString's stringWithString:theFile
set fileBase to theFile's stringByDeletingPathExtension()
set fileExtension to theFile's pathExtension()
return ((fileBase's stringByAppendingString:"_IP_CLEANED")'s stringByAppendingPathExtension:fileExtension)
end getFileName
Wow! That is totally awesome and does indeed look to do what is needed. I’ll not know for sure until I run it with real data, but on test data I just threw together it looked to work perfectly!
If I do want to hard code the path for the third party deny list:
