[SANS ISC] Sorting Things Out – Sorting Data by IP Address, (Fri, Oct 8th)

One thing that is huge in making sense of large volumes of data is sorting.  Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest.  Or – just as importantly – in day-to-day system administration.

I stumbled into a Twitter thread last week (as one does) about sorting by IP address, and it struck me that the lowly “sort” command has changed quite a bit since I last read the man page completely for it (back in the ‘80’s, in the Bell Labs Unix books.  And yes, they were printed on paper). 

No matter if you are in the red team or the blue team, you’re forever having to sort hostnames or IP addresses, sort findings / vulnerabilities by hostname or IP, or sort hostnames by vulnerabilities / findings.

So let’s look at sorting by IP.  For this, we can use the “-V” (or –version-sort) argument of the sort command.  This sorts things by “version”  (as in decimal separated numeric strings).  This option matches up very nicely to what you want if you are sorting by IPv4 address, which is also a series of point-separated numeric strings. Let’s find the IP’s in my lab that have SSH open, then reverse-sort them by IP address:

# nmap –p22 –open –oG ips.txt

# cat ips.txt | grep Host: | cut -d ” ” -f 2 | sort -Vr | uniq

 (thanks @flakpaket for this tidbit, this is an option that wasn’t in the paper Bell Labs Unix manuals back in the day!)

Or, what if you’ve got a list of files – for instance syslog files with IP addresses for filenames that you might want to sort?  The option for ls to sort by version is a lower case “v”.  Adding a “1” tells ls to give you the output as one line per file:

[email protected]:/syslog$ ls -v1


 (also thanks to @flakpaket, this was also new to me!)

What if you’re on an older version of Linux – or (as I am some days), you’re on an older Windows host that has GNUtils installed instead of WSL?  In that case, you can tell sort to delimit your output with a “.”, then tell it which fields to sort on (in this case, fields 1-2-3-4).  This is an oldy, and the one that’s in my personal cheat-sheet from forever ago (but mentioned by @totalclaireity in this same thread)

$ ls /syslog | sort  -r -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n

Or, since everything is in the same /24 subnet, we can just sort by the 4th octet:

$ ls /syslog | sort  -r -t . -k 4,4n

What about PowerShell?  In that same thread, @mdjxkln shows us that there’s a version option for PowerShell as well:

$ips = nmap -p22 –open | grep report |cut -d” ” -f 5

$ips |sort {[version] $_}

Or, in a bit more readable format:

$ips | sort {$_ -as [version]}

In another use case, let’s check all hosts in a domain (and yes, I did shorten this list), then sort them by IP:

$pcs = get-adcomputer -filter * -property Name,dnshostname,OperatingSystem,Operatingsystemversion,LastLogonDate,IPV4Address

PS C:Usersrobv> $pcs | Sort-Object { $_.IPV4Address -as [version]} | Select-Object name,IPV4Address
















How can you make sorting easier?  Naming Conventions is the traditional answer to that.  Naming conventions are like belly buttons – everyone has one, and everyone’s is different!    The important thing when setting one up is to keep in mind that you’ll be using tools like sort and grep (or the PowerShell / Python equivalents), find and findstr in Windows, or Excel once you start formatting your output, and work your naming convention to take advantage of that. 

Have I missed any neat sort methods that you use daily?  Or is there a more effiicient syntax for what I’ve shown in this post?  Very likely – please, use our comment section to add to these methods!


Thanks of course to @flakpaket (Jon Gorenflo) who started the twitter thread:


$ man sort  (of course)


And of course SANS SEC505: https://www.sans.org/cyber-security-courses/securing-windows-with-powershell/

Rob VandenBrink
rob <at> coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] Vermont Hospital Still Calculating Cost of Ransomware Attack

All posts, Security Week

Officials at Vermont’s largest hospital are still trying to determine the full financial impact of the cyberattack last October that knocked out computers affecting three hospitals in Vermont and three in New York. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] This chip flaw could have let malicious apps eavesdrop on Android phone users

All posts, ZDNet

MediaTek fixes several flaws that attackers can exploit without user interaction. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Microsoft fixes Outlook crash issues when using Search bar

Microsoft will roll out a fix for a known issue causing Outlook for Microsoft 365 to crash on systems where users attempted using the Search bar or Search Suggestions features. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.