#!/usr/bin/perl -w
use strict;

# Set variables
my $today=`date +%d%b%y`;
chomp($today);
my $reportfile = "/exported/analysis/$today.logsum";
my $topten = 0;
my $logfile = "/exported/$today.elog"; 
my @ips;
my $from_addr="Root<root\@mydomain.com>";
my $to_addr="IS Security<Security\@mydomain.com";

# Open up the fwlogsum report and store all of the top ten ip addresses into the array @ips
open REPORT, "$reportfile" or die "Can't open FWLOGSUM File: $!\n";
while (<REPORT>){
  chomp;
  $topten = 1 if m!^Users/Source Addresses!;
  next unless $topten;
  push @ips, [split /\s+/] if /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
}
close REPORT;

# Pull out the first ip address and assign it to the variable $ip
my $ip1 = qr/\b$ips[0][0]\b/o;
my @fwlog1;

# Open up the firewall log file and match the ip address and store the results into the array @fwlog1
open LOG, "$logfile" or die "Can't open $logfile: $!\n";
while (<LOG>){
  if ($_ =~ $ip1){
      push (@fwlog1, $_); 
 } #end if
} #end while
close LOG;

# Splice the array @fwlog1 and take only the first 15 entries to be included in the email as "evidence"
# Also substitute any firewall ip addresses for x's for add protection
splice(@fwlog1, 15);
foreach (@fwlog1){ 
s/192\.168\.13\.2/x.x.x.x/;
s/192\.168\.2\.2/x.x.x.x/;
s/192\.168\.214\.46/x.x.x.x/;
s/192\.168\.148\.2/x.x.x.x/;
}

# Open sendmail and send Flagged Activity email to the Security Team for review.
open(SENDMAIL, "|/usr/lib/sendmail -oi -t")
                      or die "Can't fork for sendmail: $!\n";

print SENDMAIL <<EOM;
From: $from_addr
To: $to_addr
Subject: Flagged Activity from $ips[0][0]
System Administrator,

Hello. I am the Network Security Manager from ACME Inc. While I was scanning our firewall logs 
I discovered an ip from your registered network was trying to gain access to APC's 
network. Could you please look into this for me and provide a reason why a computer on 
your network would be trying to gain access to our network. 

Here are the details:

Source IP Address: $ips[0][0]
Number of times: $ips[0][1]
		
Sample from the firewall logs (*note date/time are Eastern Daylight Time -4 GMT):

@fwlog1

Thank You,
Security Team
ACME Inc.

EOM
close(SENDMAIL) or warn "sendmail didn't close nicely";


# IP2
my $ip2 = qr/\b$ips[1][0]\b/o;
my @fwlog2;

--------Repeats the while loop, splice, and email 9 more times for each ip addresses-------------