#!/usr/bin/perl -w use strict; # Set variables my $today=`date +%d%b%y`; chomp($today); my $reportfile = "/exported/analysis/$today.logsum"; my $topten = 0; my $logfile = "/exported/$today.elog"; my @ips; my $from_addr="Root<root\@mydomain.com>"; my $to_addr="IS Security<Security\@mydomain.com"; # Open up the fwlogsum report and store all of the top ten ip addresse +s into the array @ips open REPORT, "$reportfile" or die "Can't open FWLOGSUM File: $!\n"; while (<REPORT>){ chomp; $topten = 1 if m!^Users/Source Addresses!; next unless $topten; push @ips, [split /\s+/] if /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/; } close REPORT; # Pull out the first ip address and assign it to the variable $ip my $ip1 = qr/\b$ips[0][0]\b/o; my @fwlog1; # Open up the firewall log file and match the ip address and store the + results into the array @fwlog1 open LOG, "$logfile" or die "Can't open $logfile: $!\n"; while (<LOG>){ if ($_ =~ $ip1){ push (@fwlog1, $_); } #end if } #end while close LOG; # Splice the array @fwlog1 and take only the first 15 entries to be in +cluded in the email as "evidence" # Also substitute any firewall ip addresses for x's for add protection splice(@fwlog1, 15); foreach (@fwlog1){ s/192\.168\.13\.2/x.x.x.x/; s/192\.168\.2\.2/x.x.x.x/; s/192\.168\.214\.46/x.x.x.x/; s/192\.168\.148\.2/x.x.x.x/; } # Open sendmail and send Flagged Activity email to the Security Team f +or review. open(SENDMAIL, "|/usr/lib/sendmail -oi -t") or die "Can't fork for sendmail: $!\n"; print SENDMAIL <<EOM; From: $from_addr To: $to_addr Subject: Flagged Activity from $ips[0][0] System Administrator, Hello. I am the Network Security Manager from ACME Inc. While I was sc +anning our firewall logs I discovered an ip from your registered network was trying to gain acc +ess to APC's network. Could you please look into this for me and provide a reason w +hy a computer on your network would be trying to gain access to our network. Here are the details: Source IP Address: $ips[0][0] Number of times: $ips[0][1] Sample from the firewall logs (*note date/time are Eastern Daylight Ti +me -4 GMT): @fwlog1 Thank You, Security Team ACME Inc. EOM close(SENDMAIL) or warn "sendmail didn't close nicely"; # IP2 my $ip2 = qr/\b$ips[1][0]\b/o; my @fwlog2; --------Repeats the while loop, splice, and email 9 more times for eac +h ip addresses-------------
In reply to Incorporating each while loop and email into one loop? by dru145
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |