[SANS ISC] Sorting Things Out – Sorting Data by IP Address, (Fri, Oct 8th)

One thing that is huge in making sense of large volumes of data is sorting.  Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest.  Or – just as importantly – in day-to-day system administration.

I stumbled into a Twitter thread last week (as one does) about sorting by IP address, and it struck me that the lowly “sort” command has changed quite a bit since I last read the man page completely for it (back in the ‘80’s, in the Bell Labs Unix books.  And yes, they were printed on paper). 

No matter if you are in the red team or the blue team, you’re forever having to sort hostnames or IP addresses, sort findings / vulnerabilities by hostname or IP, or sort hostnames by vulnerabilities / findings.

So let’s look at sorting by IP.  For this, we can use the “-V” (or –version-sort) argument of the sort command.  This sorts things by “version”  (as in decimal separated numeric strings).  This option matches up very nicely to what you want if you are sorting by IPv4 address, which is also a series of point-separated numeric strings. Let’s find the IP’s in my lab that have SSH open, then reverse-sort them by IP address:

# nmap –p22 –open –oG ips.txt

# cat ips.txt | grep Host: | cut -d ” ” -f 2 | sort -Vr | uniq

 (thanks @flakpaket for this tidbit, this is an option that wasn’t in the paper Bell Labs Unix manuals back in the day!)

Or, what if you’ve got a list of files – for instance syslog files with IP addresses for filenames that you might want to sort?  The option for ls to sort by version is a lower case “v”.  Adding a “1” tells ls to give you the output as one line per file:

[email protected]:/syslog$ ls -v1


 (also thanks to @flakpaket, this was also new to me!)

What if you’re on an older version of Linux – or (as I am some days), you’re on an older Windows host that has GNUtils installed instead of WSL?  In that case, you can tell sort to delimit your output with a “.”, then tell it which fields to sort on (in this case, fields 1-2-3-4).  This is an oldy, and the one that’s in my personal cheat-sheet from forever ago (but mentioned by @totalclaireity in this same thread)

$ ls /syslog | sort  -r -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n

Or, since everything is in the same /24 subnet, we can just sort by the 4th octet:

$ ls /syslog | sort  -r -t . -k 4,4n

What about PowerShell?  In that same thread, @mdjxkln shows us that there’s a version option for PowerShell as well:

$ips = nmap -p22 –open | grep report |cut -d” ” -f 5

$ips |sort {[version] $_}

Or, in a bit more readable format:

$ips | sort {$_ -as [version]}

In another use case, let’s check all hosts in a domain (and yes, I did shorten this list), then sort them by IP:

$pcs = get-adcomputer -filter * -property Name,dnshostname,OperatingSystem,Operatingsystemversion,LastLogonDate,IPV4Address

PS C:Usersrobv> $pcs | Sort-Object { $_.IPV4Address -as [version]} | Select-Object name,IPV4Address
















How can you make sorting easier?  Naming Conventions is the traditional answer to that.  Naming conventions are like belly buttons – everyone has one, and everyone’s is different!    The important thing when setting one up is to keep in mind that you’ll be using tools like sort and grep (or the PowerShell / Python equivalents), find and findstr in Windows, or Excel once you start formatting your output, and work your naming convention to take advantage of that. 

Have I missed any neat sort methods that you use daily?  Or is there a more effiicient syntax for what I’ve shown in this post?  Very likely – please, use our comment section to add to these methods!


Thanks of course to @flakpaket (Jon Gorenflo) who started the twitter thread:


$ man sort  (of course)


And of course SANS SEC505: https://www.sans.org/cyber-security-courses/securing-windows-with-powershell/

Rob VandenBrink
rob <at> coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

All posts, Security Week

A threat actor has leaked online access credentials for 87,000 Fortinet VPN devices that were apparently compromised using a vulnerability identified and patched two years ago. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ESET] Android stalkerware threatens victims further and exposes snoopers themselves

All posts, ESET feed

ESET research reveals that common Android stalkerware apps are riddled with vulnerabilities that further jeopardize victims and expose the privacy and security of the snoopers themselves The post Android stalkerware threatens victims further and exposes snoopers themselves appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[HackerNews] Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software

All posts, HackerNews

A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further “refinements in its tactics.” XCSSET was uncovered in August 2020, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.