Here's another way to parse the socket lines:
my ($prot,$recv_q,$send_q,$laddr,$lport,$eaddr,$eport,$status,$syn) =
map {split ':'} split " ";
You could also take another approach to forking the netstat process. Use magical open to make netstat's STDOUT pipe to a handle in the parent, and process the lines as you read them:
open NETSTAT, '-|', '/bin/netstat', '-na' or die $!;
while (<NETSTAT>) {
next if /^Active/ or /^\s+Proto/ or /^$/;
my @sockdata = map {split ':'} split " ";
print "$/Warning: SYN! I think we're being SYN'ed$/$/"
if $sockdata[7] =~ /syn/i;
printf "Local: %s:%s - External: %s:%s - %s$/", @sockdata[3..7];
}
You could keep the SYN matches, and recheck after a little sleep to verify SYN flood attacks.
Update: Corrected code to match my netstat output.
After Compline,
Zaxo