Sophos UTM 9 - Handy CLI commands
General Commands
restart webadmin service - no service impact
/etc/init.d/httpd restart
change directory to the log location
cd /var/log
Some funky shit......from a sophos engineer
grep srcip=\"10\.10 packetfilter.log |grep action=\"drop | grep -oP 'dstip=.*' | awk '{print $1}' | sed 's/dstip=\"//g' | sed 's/\"//g' | sort -n | uniq -c | sort -rn | head -n 100
More funky shit......from a sophos engineer
grep srcip=\"10\.10 packetfilter.log | sort -n | uniq -c | sort -rn | head -n 10
TAIL Commands - watch a log file.....
tail a log, filtering on something, and excluding something else
tail -f packetfilter.log | grep 10.10.120.80 | grep -v "SYN"
this tails any souce in the 10.10.x.x subnet goint to 202.4.239.100
tail -f packetfilter.log | grep srcip=\"10\.10 | grep dstip=\"202.4.239.100
More tail examples;
tail -f http.log | grep dstip=\"202.4.239.100
tail -f packetfilter.log | grep srcip=\"10.50.144.30
tail -f http.log | grep srcip=\"10.50.144.30
tail -f packetfilter.log | grep srcip=\"192.168.45.254 | grep dstip=\"10.50.191.3
tail -f packetfilter.log | grep srcip=\"172\.17\.1\.110
tail -f packetfilter.log | grep srcip=\"10\.10 | grep dstip=\"10.10.1
tail -f packetfilter.log | grep srcip=\"10\.10 | grep dstip=\"10.10.1 | grep fwrule=\"54
TCP Dump - packet capture
tcpdump -s0 -ni any host 10.10.162.7 and host 52.42.172.70
tcpdump -s0 -ni any host 10.50.144.30
tcpdump -s0 -ni eth9 host 104.210.80.150 -w /var/storage/paifobjcon.pcap
tcpdump -s0 -ni lag0 src net 10.10.0.0/16 and dst net 10.10.1.0/24
tcpdump -s0 -ni lag0 src net 10.10.0.0/16 and dst net 10.10.1.0/24 or src net 10.10.1.0/24 and dst net 10.10.0.0/16 -c 10
tcpdump -s0 -ni lag0 src net 10.10.0.0/16 and dst net 10.10.1.0/24 or src net 10.10.1.0/24 and dst net 10.10.0.0/16 -c 10 -w test.pcap
tcpdump -s0 -ni lag0 src net 10.10.0.0/16 and dst net 10.10.1.0/24 or src net 10.10.1.0/24 and dst net 10.10.0.0/16 -w /var/storage/paifobjcon.pcap