Trying to modify Perl script

[Stephen Reese]

I found a Perl script that parses Cisco ACL logging format and I would
like to modify it to parse the IPS format that Cisco uses. I have made
changes to the expression that picks up the Rule and the script still
runs but there isn't any useful output. Any recommendations would be
great.

Here's what the two different rules look like:
Sep 20 08:05:05 172.16.2.1 85552: 3725router: Sep 20 12:07:42:
%IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS
[84.49.67.18:0 -> 68.156.63.111:0]
Sep 20 08:05:06 172.16.2.1 85553: 3725router: Sep 20 12:07:43:
%SEC-6-IPACCESSLOGP: list 104 denied udp 86.132.189.205(56281) ->
68.156.63.111(49613), 1 packet

Here's the original ACL script:
#!/usr/bin/perl
#
#
# Set behaviour
$log="/var/log/cisco.log";
$ntop=10;
#
chomp ($acl=$ARGV[0]);
if ($acl eq "") { $acl=".*"};

open(LOG , "<$log") or die;
while (<LOG>) {
 if (/IPACCESSLOGP: list $acl denied ([tcpud]+)
([0-9.]+)\(([0-9]+)\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /){
$x=$6;
  $srca{$2}+=$x;
  $foo=sprintf("%16s  -> %16s  %3s port %-6s",$2,$4,$1,$5);
  $moo=sprintf("%3s port %-6s",$1,$5);
  $quad{$foo}+=$x;
  $port{$moo}+=$x;
 }
}
$n=0;
printf ("Connection Summary:\n");
foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
  if ($n++ >= $ntop) { last };
  printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf ("\nDestination Port Summary:\n");
foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
  if ($n++ >= $ntop) { last };
  printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf ("\nSource Address Summary:\n");
foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
  if ($n++ >= $ntop) { last };
  printf ("%6s: %s\n", $srca{$i},$i);
}


Here's the IPS version:
#!/usr/bin/perl
#
#
# Set behaviour
$log="/var/log/cisco.log";
$ntop=10;
#
chomp ($sig=$ARGV[0]);
if ($sig eq "") { $sig=".*"};

open(LOG , "<$log") or die;
while (<LOG>) {
 if (/SIGNATURE: Sig:$sig Subsig:$subsig Sev:$sev $message
\[([0-9.]+):([0-9]+)\s*->\s*([0-9.]+)([0-9]+)\] /)
{
  $x=$6;
  $srca{$2}+=$x;
  $foo=sprintf("%16s  -> %16s  %3s port %-6s",$2,$4,$1,$5);
  $moo=sprintf("%3s port %-6s",$1,$5);
  $quad{$foo}+=$x;
  $port{$moo}+=$x;
 }
}
$n=0;
printf ("Connection Summary:\n");
foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
  if ($n++ >= $ntop) { last };
  printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf ("\nDestination Port Summary:\n");
foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
  if ($n++ >= $ntop) { last };
  printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf ("\nSource Address Summary:\n");
foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
  if ($n++ >= $ntop) { last };
  printf ("%6s: %s\n", $srca{$i},$i);
}

acl-scan.pl
Description: Binary data

ips-scan.pl
Description: Binary data

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/