Hey Monks,

Newbie here. I run a perl program called fwlogsum http://www.ginini.com.au/tools/fw1/ against our firewall logs which produces a nice summary of the top source ip's and destination ip's being dropped by our firewall. Here is a sample:

Firewall-1 Log Summariser Report
Dropped Packets
Outbound Traffic
Sorted by count
Report format: 132 columns
Period for report data: 31 May 2001 at 17:02:38 to 1 Jun 2001 at 17:02
+:39
Period for matched data: 31 May 2001 at 17:02:38 to 1 Jun 2001 at 17:0
+2:39
Report generated on: Thu Jul 12 15:38:13 2001

Total entries processed: 1431110
Entries matched on: 1431110
Inbound traffic: 0
Outbound traffic: 1431110
Control Messages: 0
Entries ignored: 0
Translated addresses: 577759
Translated ports: 571768
FIREWALL-1 REPORT SUMMARY INFORMATION


Firewall Server: Top 10 of 6
=======================================================
192.168.16.3            85503   59.75%
192.168.168.2           31193   21.80%
192.168.2.2             20057   14.02%
192.168.175.2           265171  1.85%
192.168.148.2           23376   1.63%
192.168.153.2           13676   0.96%
 
Users/Source Addresses: Top 10 of 3167
=======================================================
192.168.125.246         19630   13.72%
192.168.6.65            34936   2.44%
192.168.6.127           34760   2.43%
192.168.140.7           23080   1.61%
192.168.22.141          16485   1.15%
192.168.141.4           13367   0.93%
192.168.125.33          11356   0.79%
192.168.87.82           10194   0.71%
192.168.139.4           9359    0.65%
192.168.26.247          9065    0.63%

[download]

Is there a way to extract just the 10 source ip addresses of this report so I can use it to parse the firewall log to see if the ip address is really trying to hack us or is just a misconfigured piece of equit.? Right now I am manually grepping the firewall log with the top ten source addresses, determining if it is a legit hack, then emailing the sysadmin of that network (obtained from whois), with a sample of the log file as evidence. I am trying to automate this whole process and shave about an hour off of my day.

I would appreciate if somebody would point me in the right direction since getting started is always the most difficult part for me.

Thanks in advance - Dru

Edit 2001-07-1(2|3) ar0n -- Changed <i> to <code>

In reply to Automating Firewall Log Reporting by dru145

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.