Monks,

I'm in need of you assistance (once again). I have a script that goes through a firewall log file and extracts certain entries. Well, I'm trying to make this script "smarter" by ignoring entries that I dont' care about. For example, I don't care about any entries that are flagged by what is referred to as rule 0. Here is my subroutine that is doing this as well as collecting the "evidence": 
######################################################
# evidence: Open up the  log file, search for
#           the ip, add to array, split array into 15
#           lines, test if array is empty or not.
#####################################################

sub evidence {
  my ($count1, $action, $src);
  foreach (@data){
    ($action,$src) = (split /;/)[5,10];
    next if m/\b0\b/; #skip any rule 0 matches
    next if m/^\s*$/; #skip any empty lines
    if ($action eq 'drop' && $src =~ /$ip/){
      push (@fwlog, $_);
      $count1++ if $src =~ /$ip/;
      last if $count1 >= 16;
    }
  }
 
  # Test if the fwlog array is empty
  if (@fwlog) {
  } else {
    return;
  }
}

[download]
That is working well, but the problem is, I'm only exiting out of the evidence sub, and the rest of the script continues to execute. I would like for the script to compeletly skip this ip address entirely and move onto the next one. I was thinking a LABEL might work, but this is not being executed in a while loop. Here is the rest of the pertaint parts of the script (note, these subs are called before the evidence sub): 
# Run the script against each ip address
 
foreach my $x (0 .. $#ips){ 
    &check($ips[$x][0], $ips[$x][1]); 
} 
 
&check();

my (@data, @fwlog, $ip, $times, $result);

######################################################################
# check: See if the traffic is harmless. This is done by checking if
#        the source ip remains constant and the service remains farily
#        constant
######################################################################


sub check {
 
  $ip = $_[0];
  $times = $_[1];
 
  my ($rule, $dst, $service, @service, @dst, $count);
 
  open (OUTFILE, $outfile) or die "Can't open $outfile: $!";
  while (<OUTFILE>){
    push (@data, $_) if $_ =~ /$ip/;
  }
  close OUTFILE;
 
  foreach (@data){
    ($dst, $service) = (split /;/)[11,12];
    next if m/^\s*$/; #skip any empty lines
    next if $rule =~ m/\b0\b/; #skip any rule 0 matches
    push(@service, $service);
    push(@dst, $dst);
  }
 
  @service = &duplicates(@service);
  @dst = &duplicates(@dst);
 
  foreach (@data){
   $count++ if /\;$dst[0]\;/ && /\b$service[0]\b/;
  }
 
  &evidence();
 
  if ($count == 0){
    next; 
  } elsif ($count >= 75){
    &misconfig(); 
  } else { 
    &whois(); 
  } 
}

[download]
I appreciate any suggestions.

Thanks,
Dru
Another satisfied monk.

In reply to Best Way to Skip out of a sub Entirely by dru145

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.