-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mumia W. wrote:
> On 11/14/2006 09:53 PM, Chris Parker wrote:
>>
>> I couldn't find the answer while googling for a regexp to pull the ip
>> from my log files so here I am. I am trying to get the ip's (source and
>> destination) along with the ports for a summary. WFLOG doesnt cover my
>> firewall so I thought id try. Code is as follows:
>>
>> #!/perl
>>
>> while(defined($line = <>))
>> {
>> # Cut newlines off
>> chomp($line);
>> #take out []- and -'s
>> $line =~ s/^\[//;
>>
>> $line =~ s/\]//;
>> $line =~ s/-//g;
>> $line =~ s/src_ip=//g;
>> $line =~ s/dst_ip=//g;
>>
>> #print("matched = $&\n");
>> # Seperate fields
>> @parts = split(/\s+/, $line);
>> # Get the date info
>> $date = $parts[0];
>> # Get the time
>> $time = $parts[1];
>> # Blocks stripper
>> #$parts =~ s/Blocked \w+ \w+ \w+ Attack//;
>> # Source IP
>> $source_ip =~
>> m/^([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])\.
>> ([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])$/;
>> #
>> #(?:1\d?\d?|2(?:[0-4]\d?|[6789]|5[0-5]?)?|[3-9]\d?|0)/;
>> #$source_ip = $parts[6];
>> # Destination IP
>> $dest_ip = $parts[7];
>>
>>
>> print("*Date: $date Time: $time Source: $source_ip Destination:
>> $dest_ip*\n");
>> }
>>
>> Here listed is data file I am working with:
>> __DATA__
>> [10/04/2006 13:18:52.63] Blocked - Port Scan Attack -
>> src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
>> [10/04/2006 02:20:24.98] Blocked - Winnuke Attack -
>> src_ip=61.110.173.193:1600 - dst_ip=00.000.160.000:139 - TCP
>>
>
> TIMTOWTDI. Season to taste:
>
> use Data::Dumper;
> use strict;
> use warnings;
> my $data = q{
> [10/04/2006 13:18:52.63] Blocked - Port Scan Attack -
> src_ip=24.123.222.53:28874 - dst_ip=00.000.160.000:1026 - UDP
> [10/04/2006 02:20:24.98] Blocked - Winnuke Attack -
> src_ip=61.110.173.193:1600 - dst_ip=00.000.160.000:139 - TCP
> };
>
> my @logs;
>
> open (my $fh, '<', \$data) or die("open failed: $!");
> while (my $line = <$fh>) {
> if ($line =~ / Blocked - ([^-]+)/) {
> my $type = $1;
>
> push @logs, [
> $type,
> $line =~ /^\[(\S+) ([^]]+)/,
> $line =~ /src_ip=(\S+)/,
> $line =~ /dst_ip=(\S+)/ ];
> }
> }
> close $fh;
>
> print Dumper([EMAIL PROTECTED]);
>
>
>
>
Thanks alot. I'll try these out shortly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFWwXOVz91Ftd3lBkRAnvGAJ93saVepgM6DsxO568vPDpkcFEacQCfTkof
TfN6TRoyUt74+Oa8uC825Ng=
=mfBW
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
