Re: log file help

Tue, 14 Nov 2006 20:10:02 -0800 

Chris Parker wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I couldn't find the answer while googling for a regexp to pull the ip
from my log files so here I am.  I am trying to get the ip's (source and
destination) along with the ports for a summary.  WFLOG doesnt cover my
firewall so I thought id try.  Code is as follows:

#!/perl

while(defined($line = <>))
{
     # Cut newlines off
     chomp($line);
     #take out []- and -'s
     $line =~ s/^\[//;

     $line =~ s/\]//;
     $line =~ s/-//g;
     $line =~ s/src_ip=//g;
     $line =~ s/dst_ip=//g;

     #print("matched = $&\n");
     # Seperate fields
     @parts = split(/\s+/, $line);
     # Get the date info
     $date = $parts[0];
     # Get the time
     $time = $parts[1];
     # Blocks stripper
     #$parts =~ s/Blocked \w+ \w+ \w+ Attack//;
     # Source IP
     $source_ip =~
m/^([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])\.
   ([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])$/;
     #
     #(?:1\d?\d?|2(?:[0-4]\d?|[6789]|5[0-5]?)?|[3-9]\d?|0)/;
     #$source_ip = $parts[6];
     # Destination IP
     $dest_ip = $parts[7];


     print("*Date: $date Time: $time Source: $source_ip Destination:
$dest_ip*\n");
}

Here listed is data file I am working with:
__DATA__
[10/04/2006 13:18:52.63] Blocked - Port Scan Attack - 
src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
[10/04/2006 02:20:24.98] Blocked - Winnuke Attack - src_ip=61.110.173.193:1600 
- dst_ip=00.000.160.000:139 - TCP


Hi Chris

Is this what you want? You seem to be deleting a lot of stuff out of the records
and I'm not clear whether you needed to do that for other reasons. Also, the 
port
numbers are missing from the IP addresses. If you want them in just add a colon 
to
the relevant character classes.

HTH,

Rob



use strict;
use warnings;

while (defined(my $line = <DATA>)) {

 my ($date, $time) = $line =~ /([0-9\/]+)\s+([0-9:.]+)/;
 my ($source_ip) = $line =~ /src_ip=([\d.]+)/;
 my ($dest_ip) = $line =~ /dst_ip=([\d.]+)/;

 print("*Date: $date Time: $time Source: $source_ip Destination: $dest_ip*\n");
}

__DATA__
[10/04/2006 13:18:52.63] Blocked - Port Scan Attack - 
src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
[10/04/2006 02:20:24.98] Blocked - Winnuke Attack - src_ip=61.110.173.193:1600 
- dst_ip=00.000.160.000:139 - TCP


**OUTPUT

*Date: 10/04/2006 Time: 13:18:52.63 Source: 24.123.222.53 Destination: 
00.000.160.000*
*Date: 10/04/2006 Time: 02:20:24.98 Source: 61.110.173.193 Destination: 
00.000.160.000*

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>

Reply via email to