Stephen Reese wrote:
I found a Perl script that parses Cisco ACL logging format and I would
like to modify it to parse the IPS format that Cisco uses. I have made
changes to the expression that picks up the Rule and the script still
runs but there isn't any useful output. Any recommendations would be
great.
Here's what the two different rules look like:
Sep 20 08:05:05 172.16.2.1 85552: 3725router: Sep 20 12:07:42:
%IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS
[84.49.67.18:0 -> 68.156.63.111:0]
Sep 20 08:05:06 172.16.2.1 85553: 3725router: Sep 20 12:07:43:
%SEC-6-IPACCESSLOGP: list 104 denied udp 86.132.189.205(56281) ->
68.156.63.111(49613), 1 packet
Here's the original ACL script:
#!/usr/bin/perl
use warnings;
use strict;
#
#
# Set behaviour
$log="/var/log/cisco.log";
$ntop=10;
my $log = '/var/log/cisco.log';
my $ntop = 10;
#
chomp ($acl=$ARGV[0]);
if ($acl eq "") { $acl=".*"};
my $acl = $ARGV[ 0 ] || '.*';
open(LOG , "<$log") or die;
open LOG , '<', $log or die "Cannot open '$log' $!";
my ( %srca, %quad, %port );
while (<LOG>) {
if (/IPACCESSLOGP: list $acl denied ([tcpud]+)
([0-9.]+)\(([0-9]+)\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /){
$x=$6;
$srca{$2}+=$x;
$foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5);
$moo=sprintf("%3s port %-6s",$1,$5);
$quad{$foo}+=$x;
$port{$moo}+=$x;
next unless /IPACCESSLOGP: list $acl denied ([tcpud]+)
([0-9.]+)\([0-9]+\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /
$srca{ $2 } += $5;
$quad{ sprintf '%16s -> %16s %3s port %-6s', $2, $3, $1, $4 } += $5;
$port{ sprintf '%3s port %-6s', $1, $4 } += $5;
}
}
$n=0;
my $n;
printf ("Connection Summary:\n");
print "Connection Summary:\n";
foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad ) {
if ($n++ >= $ntop) { last };
printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf ("\nDestination Port Summary:\n");
print "\nDestination Port Summary:\n";
foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port ) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf ("\nSource Address Summary:\n");
print "\nSource Address Summary:\n";
foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca ) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $srca{$i},$i);
}
Here's the IPS version:
#!/usr/bin/perl
use warnings;
use strict;
#
#
# Set behaviour
$log="/var/log/cisco.log";
$ntop=10;
my $log = '/var/log/cisco.log';
my $ntop = 10;
#
chomp ($sig=$ARGV[0]);
if ($sig eq "") { $sig=".*"};
my $sig = $ARGV[ 0 ] || '.*';
open(LOG , "<$log") or die;
open LOG, '<', $log or die "Cannot open '$log' $!";
my ( %srca, %quad, %port );
while (<LOG>) {
if (/SIGNATURE: Sig:$sig Subsig:$subsig Sev:$sev $message
The variables $subsig and $sev are not defined anywhere and if you had
warnings enabled then perl would have informed you of this.
\[([0-9.]+):([0-9]+)\s*->\s*([0-9.]+)([0-9]+)\] /)
You have four sets of capturing parentheses so if the pattern matches
then only $1, $2, $3 and $4 will contain any data.
{
$x=$6;
$srca{$2}+=$x;
$foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5);
$moo=sprintf("%3s port %-6s",$1,$5);
You are using $5 and $6 but there is nothing in them.
$quad{$foo}+=$x;
$port{$moo}+=$x;
}
}
$n=0;
printf ("Connection Summary:\n");
print "Connection Summary:\n";
foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad ) {
if ($n++ >= $ntop) { last };
printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf ("\nDestination Port Summary:\n");
print "\nDestination Port Summary:\n";
foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port ) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf ("\nSource Address Summary:\n");
print "\nSource Address Summary:\n";
foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca ) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $srca{$i},$i);
}
John
--
Perl isn't a toolbox, but a small machine shop where you
can special-order certain sorts of tools at low cost and
in short order. -- Larry Wall
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
