John,
Thank you and everyone else for the insight to better Perl coding
practices in the original script. I have attempted to make the changes
that you recommended with negative results. I had a tough time trying
to determine what to leave in so before I move on to the new script I
would like to fix the current script with the recommendations.
$ ./acl-parse.pl
Global symbol "$x" requires explicit package name at ./acl-parse.pl
line 21.
Global symbol "$x" requires explicit package name at ./acl-parse.pl
line 22.
Global symbol "$foo" requires explicit package name at ./acl-parse.pl
line 23.
Global symbol "$moo" requires explicit package name at ./acl-parse.pl
line 24.
Global symbol "$foo" requires explicit package name at ./acl-parse.pl
line 25.
Global symbol "$x" requires explicit package name at ./acl-parse.pl
line 25.
Global symbol "$moo" requires explicit package name at ./acl-parse.pl
line 26.
Global symbol "$x" requires explicit package name at ./acl-parse.pl
line 26.
Search pattern not terminated at ./acl-parse.pl line 28.
Here is what i have with the modifications so any clarification you
can provide would be great. Thanks.
#!/usr/bin/perl
#
use warnings;
use strict;
# Set behaviour
my $log='/var/log/cisco.log';
my $ntop=10;
#chomp ($acl=$ARGV[0]);
#if ($acl eq "") { $acl=".*"};
#chomp ( my $sig = $ARGV[0] || '.*' );
my $acl = $ARGV[ 0 ] || '.*';
open LOG, '<', $log or die "Cannot open '$log' $!";
my ( %srca, %quad, %port );
while (<LOG>) {
if (/IPACCESSLOGP: list $acl denied ([tcpud]+) ([0-9.]+)\(([0-9]+)\)
\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /){
$x=$6;
$srca{$2}+=$x;
$foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5);
$moo=sprintf("%3s port %-6s",$1,$5);
$quad{$foo}+=$x;
$port{$moo}+=$x;
next unless /IPACCESSLOGP: list $acl denied ([tcpud]+) ([0-9.]+)\
([0-9]+\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) \
$srca{ $2 } += $5;
$quad{ sprintf '%16s -> %16s %3s port %-6s', $2, $3, $1, $4 } +=
$5;
$port{ sprintf '%3s port %-6s', $1, $4 } += $5;
}
}
$n=0;
my $n;
printf "Connection Summary:\n";
foreach my $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
if ($n++ >= $ntop) { last };
printf ("%6s:%s\n", $quad{$i},$i);
}
$n=0;
printf "\nDestination Port Summary:\n";
foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $port{$i},$i);
}
$n=0;
printf "\nSource Address Summary:\n";
foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
if ($n++ >= $ntop) { last };
printf ("%6s: %s\n", $srca{$i},$i);
}
On Sep 20, 1:36 pm, [EMAIL PROTECTED] (John W. Krahn) wrote:
> Stephen Reese wrote:
> > I found a Perl script that parses Cisco ACL logging format and I would
> > like to modify it to parse the IPS format that Cisco uses. I have made
> > changes to the expression that picks up the Rule and the script still
> > runs but there isn't any useful output. Any recommendations would be
> > great.
>
> > Here's what the two different rules look like:
> > Sep 20 08:05:05 172.16.2.1 85552: 3725router: Sep 20 12:07:42:
> > %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS
> > [84.49.67.18:0 -> 68.156.63.111:0]
> > Sep 20 08:05:06 172.16.2.1 85553: 3725router: Sep 20 12:07:43:
> > %SEC-6-IPACCESSLOGP: list 104 denied udp 86.132.189.205(56281) ->
> > 68.156.63.111(49613), 1 packet
>
> > Here's the original ACL script:
> > #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> > #
> > #
> > # Set behaviour
> > $log="/var/log/cisco.log";
> > $ntop=10;
>
> my $log = '/var/log/cisco.log';
> my $ntop = 10;
>
> > #
> > chomp ($acl=$ARGV[0]);
> > if ($acl eq "") { $acl=".*"};
>
> my $acl = $ARGV[ 0 ] || '.*';
>
> > open(LOG , "<$log") or die;
>
> open LOG , '<', $log or die "Cannot open '$log' $!";
>
> my ( %srca, %quad, %port );
>
> > while (<LOG>) {
> > if (/IPACCESSLOGP: list $acl denied ([tcpud]+)
> > ([0-9.]+)\(([0-9]+)\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /){
> > $x=$6;
> > $srca{$2}+=$x;
> > $foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5);
> > $moo=sprintf("%3s port %-6s",$1,$5);
> > $quad{$foo}+=$x;
> > $port{$moo}+=$x;
>
> next unless /IPACCESSLOGP: list $acl denied ([tcpud]+)
> ([0-9.]+)\([0-9]+\)\s*->\s*([0-9.]+)\(([0-9]+)\), ([0-9]+) /
> $srca{ $2 } += $5;
> $quad{ sprintf '%16s -> %16s %3s port %-6s', $2, $3, $1, $4 } += $5;
> $port{ sprintf '%3s port %-6s', $1, $4 } += $5;
>
> > }
> > }
> > $n=0;
>
> my $n;
>
> > printf ("Connection Summary:\n");
>
> print "Connection Summary:\n";
>
> > foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
>
> foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s:%s\n", $quad{$i},$i);
> > }
> > $n=0;
> > printf ("\nDestination Port Summary:\n");
>
> print "\nDestination Port Summary:\n";
>
> > foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
>
> foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s: %s\n", $port{$i},$i);
> > }
> > $n=0;
> > printf ("\nSource Address Summary:\n");
>
> print "\nSource Address Summary:\n";
>
> > foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
>
> foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s: %s\n", $srca{$i},$i);
> > }
>
> > Here's the IPS version:
> > #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> > #
> > #
> > # Set behaviour
> > $log="/var/log/cisco.log";
> > $ntop=10;
>
> my $log = '/var/log/cisco.log';
> my $ntop = 10;
>
> > #
> > chomp ($sig=$ARGV[0]);
> > if ($sig eq "") { $sig=".*"};
>
> my $sig = $ARGV[ 0 ] || '.*';
>
> > open(LOG , "<$log") or die;
>
> open LOG, '<', $log or die "Cannot open '$log' $!";
>
> my ( %srca, %quad, %port );
>
> > while (<LOG>) {
> > if (/SIGNATURE: Sig:$sig Subsig:$subsig Sev:$sev $message
>
> The variables $subsig and $sev are not defined anywhere and if you had
> warnings enabled then perl would have informed you of this.
>
> > \[([0-9.]+):([0-9]+)\s*->\s*([0-9.]+)([0-9]+)\] /)
>
> You have four sets of capturing parentheses so if the pattern matches
> then only $1, $2, $3 and $4 will contain any data.
>
> > {
> > $x=$6;
> > $srca{$2}+=$x;
> > $foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5);
> > $moo=sprintf("%3s port %-6s",$1,$5);
>
> You are using $5 and $6 but there is nothing in them.
>
> > $quad{$foo}+=$x;
> > $port{$moo}+=$x;
> > }
> > }
> > $n=0;
> > printf ("Connection Summary:\n");
>
> print "Connection Summary:\n";
>
> > foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) {
>
> foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s:%s\n", $quad{$i},$i);
> > }
> > $n=0;
> > printf ("\nDestination Port Summary:\n");
>
> print "\nDestination Port Summary:\n";
>
> > foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
>
> foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s: %s\n", $port{$i},$i);
> > }
> > $n=0;
> > printf ("\nSource Address Summary:\n");
>
> print "\nSource Address Summary:\n";
>
> > foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
>
> foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca ) {
>
> > if ($n++ >= $ntop) { last };
> > printf ("%6s: %s\n", $srca{$i},$i);
> > }
>
> John
> --
> Perl isn't a toolbox, but a small machine shop where you
> can special-order certain sorts of tools at low cost and
> in short order. -- Larry Wall
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
