dru145 has asked for the wisdom of the Perl Monks concerning the following question:

Hey Monks,

Newbie here. I run a perl program called fwlogsum http://www.ginini.com.au/tools/fw1/ against our firewall logs which produces a nice summary of the top source ip's and destination ip's being dropped by our firewall. Here is a sample:

Firewall-1 Log Summariser Report
Dropped Packets
Outbound Traffic
Sorted by count
Report format: 132 columns
Period for report data: 31 May 2001 at 17:02:38 to 1 Jun 2001 at 17:02
+:39
Period for matched data: 31 May 2001 at 17:02:38 to 1 Jun 2001 at 17:0
+2:39
Report generated on: Thu Jul 12 15:38:13 2001

Total entries processed: 1431110
Entries matched on: 1431110
Inbound traffic: 0
Outbound traffic: 1431110
Control Messages: 0
Entries ignored: 0
Translated addresses: 577759
Translated ports: 571768
FIREWALL-1 REPORT SUMMARY INFORMATION


Firewall Server: Top 10 of 6
=======================================================
192.168.16.3            85503   59.75%
192.168.168.2           31193   21.80%
192.168.2.2             20057   14.02%
192.168.175.2           265171  1.85%
192.168.148.2           23376   1.63%
192.168.153.2           13676   0.96%
 
Users/Source Addresses: Top 10 of 3167
=======================================================
192.168.125.246         19630   13.72%
192.168.6.65            34936   2.44%
192.168.6.127           34760   2.43%
192.168.140.7           23080   1.61%
192.168.22.141          16485   1.15%
192.168.141.4           13367   0.93%
192.168.125.33          11356   0.79%
192.168.87.82           10194   0.71%
192.168.139.4           9359    0.65%
192.168.26.247          9065    0.63%

[download]

Is there a way to extract just the 10 source ip addresses of this report so I can use it to parse the firewall log to see if the ip address is really trying to hack us or is just a misconfigured piece of equit.? Right now I am manually grepping the firewall log with the top ten source addresses, determining if it is a legit hack, then emailing the sysadmin of that network (obtained from whois), with a sample of the log file as evidence. I am trying to automate this whole process and shave about an hour off of my day.

I would appreciate if somebody would point me in the right direction since getting started is always the most difficult part for me.

Thanks in advance - Dru

Edit 2001-07-1(2|3) ar0n -- Changed <i> to <code>

Replies are listed 'Best First'.
(ar0n) Re: Automating Firewall Log Reporting
by ar0n (Priest) on Jul 13, 2001 at 01:59 UTC 
    # switch to check if we've reached the topten list yet.
my $topten = 0;
my @ips;

open REPORT, "reportfile" or die "Can't open reportfile: $!\n";

while (<REPORT>) {
    chomp;

    $topten = 1 if m!^Users/Source Addresses!;

    next unless $topten;

    push @ips, [ split /\s+/ ] if /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
+})/;
}

close REPORT;

    [download]

    That's basically the gist of it. Every element in @ips is a reference to an anonymous array; the first element of the anonyous array is the ip address, the second element is that number thingy (whatever it signifies) and the third is the percentage.

    For further study, look into MIME::Lite (for mailing) and Net::Whois (for you-know-what).

    Of course, it would probably be easier to just modify the script that generates this output

    Hope this helps,



    ar0n ]

[reply]
[d/l]
      ar0n,

      Thanks for taking time out to help me. When I throw in a: 

      print "@ips\n";

      [download]
      to see what data I get, I get the following output: 
      ARRAY(0x8101f68) ARRAY(0x81052b0) ARRAY(0x81052ec) etc.

      [download]

      Do you know what I am doing wrong?

      Thanks, Dru

[reply]
[d/l]
[select]
        I figured it out. Since this a multidimensional array, I have to pull my data out as such: 
        $ips[0][0], $ips[1][0], $ips[1][1], etc.

        [download]

        There's nothing like figuring something out yourself.
[reply]
[d/l]

Back to Seekers of Perl Wisdom