On Wed, 2003-08-27 at 14:29, Akens, Anthony wrote: > Hello all, > > Just wanted to look into a "for fun" project, after a > recent project that wasn't much fun at all... Our > organization got hit by the blaster worm, which hit > many, many windows boxes. The *nix boxes (which I > manage) were of course unaffected, except by the > total lack of bandwidth available to them. Except for > one. We have the syslog on our PIX firewall forward > on to one of my boxes, so I have an interested detailed > log of how the blaster worm spread on our network. > > So much for the history, now on to some ideas... I > thought it would be interesting to plot two things - > 1) How many hits per minute, and 2) Total compromised > systems over time. > > I thought of perl immediately as a good tool to break > this rather large file down, but being a newbie I'm > not sure how to begin. The format of each line is > as follows (IPs changed to protect the lazy): > > Aug 20 16:57:28 pix %PIX-3-106011: Deny inbound (No xlate) > icmp src inside:10.0.0.10 dst inside:10.1.1.23 (type 8, code 0) > > > For the first bit I know I would need to just create a counter > for each minute, probably using a regex to increment the counter? > > For the second I would need to count the source machine IPs, and > use a hash(?) to keep track of them, and when each first appears > in the logs, then plot that over time?
Tony, Well, my recommendation is the GD::Graph module(look for it on CPAN). It's a pretty good module once you get everything working behind the scenes(check the pod docs for info on setting it up). If you're graphing over time, you'll need to collect the data and store it in another source (files, database, etc). Use GD::Graph to put the calculated data into arrays/hashes and it will build graphs and charts out of it. It handles all all different types of charts and graphs(line, pie, bar, etc) Hope this helps, Kevin > > Can anyone give me some ideas where to start? This worm spread > incredibly fast in our network, should be interesting to see it > charted. > > Tony -- K Old <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
