I am working on modifying a script that previously parsed Cisco ACL's and changing it to parse IPS information.
Here is an example of the two log formats. Sep 19 15:44:29 172.16.2.1 59800: 3725router: Sep 19 19:44:39: %SEC-6- IPACCESSLOGP: list 104 denied udp 93.144.187.255(13157) -> 68.156.63.111(49615), 1 packet Sep 19 15:44:29 172.16.2.1 59801: 3725router: Sep 19 19:44:40: %IPS-4- SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [194.255.113.170:59920 -> 68.156.63.111:49615] Here is the original script: http://www.experts-exchange.com/Programming/Languages/Scripting/Perl/Q_23747803.html Here is what I have been able to come up with. It runs but of course there is no output. Any hints about where I should go next to debug would be great. Thanks. #!/usr/bin/perl # # # Set behaviour $log="/var/log/cisco.log"; $ntop=10; # chomp ($sig=$ARGV[0]); if ($sig eq "") { $sig=".*"}; open(LOG , "<$log") or die; while (<LOG>) { if (/SIGNATURE: Sig:$sig Subsig:$subsig Sev:$sev $message \[([0-9.]+): ([0-9]+)\s*->\s*([0-9.]+)([0-9]+)\] /) { $x=$6; $srca{$2}+=$x; $foo=sprintf("%16s -> %16s %3s port %-6s",$2,$4,$1,$5); $moo=sprintf("%3s port %-6s",$1,$5); $quad{$foo}+=$x; $port{$moo}+=$x; } } $n=0; printf ("Connection Summary:\n"); foreach $i (sort { $quad{$b} <=> $quad{$a} } keys %quad) { if ($n++ >= $ntop) { last }; printf ("%6s:%s\n", $quad{$i},$i); } $n=0; printf ("\nDestination Port Summary:\n"); foreach $i ( sort { $port{$b} <=> $port{$a} } keys %port) { if ($n++ >= $ntop) { last }; printf ("%6s: %s\n", $port{$i},$i); } $n=0; printf ("\nSource Address Summary:\n"); foreach $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) { if ($n++ >= $ntop) { last }; printf ("%6s: %s\n", $srca{$i},$i); } -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
