######################################################
# evidence: Open up the  log file, search for
#           the ip, add to array, split array into 15
#           lines, test if array is empty or not.
#####################################################

sub evidence {
  my ($count1, $action, $src);
  foreach (@data){
    ($action,$src) = (split /;/)[5,10];
    next if m/\b0\b/; #skip any rule 0 matches
    next if m/^\s*$/; #skip any empty lines
    if ($action eq 'drop' && $src =~ /$ip/){
      push (@fwlog, $_);
      $count1++ if $src =~ /$ip/;
      last if $count1 >= 16;
    }
  }
 
  # Test if the fwlog array is empty
  if (@fwlog) {
  } else {
    return;
  }
}

##</code><code>##

# Run the script against each ip address
 
foreach my $x (0 .. $#ips){ 
    &check($ips[$x][0], $ips[$x][1]); 
} 
 
&check();

my (@data, @fwlog, $ip, $times, $result);

######################################################################
# check: See if the traffic is harmless. This is done by checking if
#        the source ip remains constant and the service remains farily
#        constant
######################################################################


sub check {
 
  $ip = $_[0];
  $times = $_[1];
 
  my ($rule, $dst, $service, @service, @dst, $count);
 
  open (OUTFILE, $outfile) or die "Can't open $outfile: $!";
  while (<OUTFILE>){
    push (@data, $_) if $_ =~ /$ip/;
  }
  close OUTFILE;
 
  foreach (@data){
    ($dst, $service) = (split /;/)[11,12];
    next if m/^\s*$/; #skip any empty lines
    next if $rule =~ m/\b0\b/; #skip any rule 0 matches
    push(@service, $service);
    push(@dst, $dst);
  }
 
  @service = &duplicates(@service);
  @dst = &duplicates(@dst);
 
  foreach (@data){
   $count++ if /\;$dst[0]\;/ && /\b$service[0]\b/;
  }
 
  &evidence();
 
  if ($count == 0){
    next; 
  } elsif ($count >= 75){
    &misconfig(); 
  } else { 
    &whois(); 
  } 
}