First off at the risk of souding like one of them talkng heads at an Academy Awards cermony I just want to thank everybody for their assistance with this thing. I was going nuts with it.

Secondly: I always preach to folks that I teach Perl to that one of the first rules of dealing with data is make sure you understand the data before you try to parse it. I should have listened to my own sermons as I belatedly noticed that there were two different line formats depending on if it was a TCP denial or an ICMP denial.

Secondly chunlou, enlil, chromatic and eric256 all suggested that I make my code more readable by using the qr construction. Advice that I heeded and this contributed greatly to solving this. Both because it was more readable and because I ended up not re-typing the same regexes and fat fingering them.

First record type

For the tcp deny the record looked like (just to review):

Aug 21 19:00:36 [1.1.1.3.200.125] 410381: Aug 21 23:00:35 UTC: %SEC-6-
+IPACCESSLOGP: list 101 denied tcp 10.161.24.153(3988) -> 10.158.24.10
+(135), 1 packet
[download]

and so to look for it I set up the following:

my $dtg=qr([A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+);
my $thingy=qr([\.\d]+);
my $tz=qr([A-Z]{3});
my $ipaddr=qr(\d+\.\d+\.\d+\.\d+);
my $timestamp = qr/[A-Z][a-z]+ \d\d \d\d:\d\d:\d\d/;
my $address   = qr/[\.\d]+/;
my $id        = qr/\d+/;
my $timezone  = qr/[A-Z]+/;
my $fragger = qr/(\%SEC-6-IPACCESSLOGP|\%SEC-6-IPACCESSLOGDP)/;
my $tcp_deny=qr/^($dtg)\s\[$thingy\]\s\d+:\s($dtg)\s$tz:\s$fragger\:\s
+list\s(\d+)\sdenied\s(tcp|udp|icmp)\s($ipaddr)\(\d+\)\s\-\>\s($ipaddr
+)\(\d+\),\s(\d+)\spacket/;
[download]

and I actually look for the packet thusly:

 if ( $line =~ m@$tcp_deny@ ) {

... more stuff below
[download]

Second line format

The second record type looked like:

Aug 21 19:00:36 [1.1.1.3.200.125] 410382: Aug 21 23:00:35 UTC: %SEC-6-
+IPACCESSLOGDP: list 101 denied icmp 10.165.4.150 -> 211.95.79.233 (8/
+0), 1 packet
[download]

which used:

my $icmp_deny=qr/^($dtg)\s\[$thingy\]\s\d+:\s($dtg)\s$tz:\s$fragger\:\
+slist\s(\d+)\sdenied\s(tcp|udp|icmp)\s($ipaddr)\s\-\>\s($ipaddr)\s\(\
+d+\/\d+\),\s(\d+)\spacket/;
[download]

Why bother?

That my fellow monks is a tale to tell under Cool Uses for Perl once the script is all done and nice and tidy. It's a mess right now. Just a hint though: It has to do with all these virus attacks going on and how to find the infected machines...

---

Peter @ Berghold . Net

Sieze the cow! Bite the day!

Nobody expects the Perl inquisition!

Test the code? We don't need to test no stinkin' code!
All code posted here is as is where is unless otherwise stated.

Brewer of Belgian style Ales