Re: log file help

Wed, 15 Nov 2006 03:31:49 -0800 

On 11/14/2006 09:53 PM, Chris Parker wrote:


I couldn't find the answer while googling for a regexp to pull the ip
from my log files so here I am.  I am trying to get the ip's (source and
destination) along with the ports for a summary.  WFLOG doesnt cover my
firewall so I thought id try.  Code is as follows:

#!/perl

while(defined($line = <>))
{
     # Cut newlines off
     chomp($line);
     #take out []- and -'s
     $line =~ s/^\[//;

     $line =~ s/\]//;
     $line =~ s/-//g;
     $line =~ s/src_ip=//g;
     $line =~ s/dst_ip=//g;

     #print("matched = $&\n");
     # Seperate fields
     @parts = split(/\s+/, $line);
     # Get the date info
     $date = $parts[0];
     # Get the time
     $time = $parts[1];
     # Blocks stripper
     #$parts =~ s/Blocked \w+ \w+ \w+ Attack//;
     # Source IP
     $source_ip =~
m/^([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])\.
   ([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])$/;
     #
     #(?:1\d?\d?|2(?:[0-4]\d?|[6789]|5[0-5]?)?|[3-9]\d?|0)/;
     #$source_ip = $parts[6];
     # Destination IP
     $dest_ip = $parts[7];


     print("*Date: $date Time: $time Source: $source_ip Destination:
$dest_ip*\n");
}

Here listed is data file I am working with:
__DATA__
[10/04/2006 13:18:52.63] Blocked - Port Scan Attack -
src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
[10/04/2006 02:20:24.98] Blocked - Winnuke Attack -
src_ip=61.110.173.193:1600 - dst_ip=00.000.160.000:139 - TCP



TIMTOWTDI. Season to taste:

use Data::Dumper;
use strict;
use warnings;
my $data = q{

[10/04/2006 13:18:52.63] Blocked - Port Scan Attack - 
src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
[10/04/2006 02:20:24.98] Blocked - Winnuke Attack - 
src_ip=61.110.173.193:1600 - dst_ip=00.000.160.000:139 - TCP

};

my @logs;

open (my $fh, '<', \$data) or die("open failed: $!");
while (my $line = <$fh>) {
    if ($line =~ / Blocked - ([^-]+)/) {
        my $type = $1;

        push @logs, [
            $type,
            $line =~ /^\[(\S+) ([^]]+)/,
            $line =~ /src_ip=(\S+)/,
            $line =~ /dst_ip=(\S+)/ ];
    }
}
close $fh;

print Dumper([EMAIL PROTECTED]);



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
























					Reply via email to