"kevin r" <[EMAIL PROTECTED]> writes:
> %PIX-6-106015: Deny TCP (no connection) from 1.1.1.1/80 to 2.2.2.2/2699
> flags PSH ACK on interface outside
>
> The info that I want to pull out of that line is source IP, source
> port, dest IP, dest port and flags( if any). The problem is that the
> flags can have from 0 to 6 values ( SYN ACK PSH URG RST FIN ). I have
> the following code that does it, but it is not very inefficient.
You also want the fact that it is denied and on which iface?
One way to do this (borrowing from a poster John Krahn from a few days
ago ) and my own method for parsing log files.
You could pump the data thru a s/// style action stripping out what
you don't want or replacing what you do.
An example might look like (no error checking or other finishing touches)
cat logparse.pl
#!/usr/local/bin/perl -w
## Assume two vars will be set from command line
($regex,$repl) = (qr/@{[shift]}/, shift);
while(<>){
if(/ Deny/){
($output_line = $_) =~ s/$regex/qq["$repl"]/ee;
print $output_line;
}
}
run it like:
./logparse.pl '(^.*)(from.*[A-Z]+ [A-Z]+)(.*$)' '$2' logfile
Note that because of the single quotes, perl will see this as three
cmdline arguments
the ($regex, $repl) = (qr/@{[shift]}/, shift);
will convert the first argument to a perl regex and store the 2nd
argument in $repl
Then logfile is read. In this case it contains only the one line you
posted.
=======
cat logfile: (log line wrapped from mail)
%PIX-6-106015: Deny TCP (no connection) from 1.1.1.1/80 to\
2.2.2.2/2699 flags PSH ACK on interface outside
=====
The script finds lines containing Deny and then runs them thru
s/$regex/qq["$repl"]/
Notice how $repl is treated specially double double quoted to allow it
to be seen as a legitimate perl expression with `ee'
The result of this command using this script and your log line:
logparse.pl '(^.*)(from.*[A-Z]+ [A-Z]+)(.*$)' '$2' logfile
from 1.1.1.1/80 to 2.2.2.2/2699flags PSH ACK
The regex (all that mess between the first pair of single quotes) was
left sort of long hand so it could be understood easier, but I think
much briefer arrangements could be done.
You can adjust the regex, grouping and back reference in a million
ways and get pretty much any output you want.
After playing with the regex a while it gets pretty easy to quickly
put down what you need to see the output you want.
One nice aspect of getting experienced with this method is that it is
usable on any file.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
