Re: a little help...

Thu, 29 Sep 2005 15:05:11 -0700 

David,
Thank you for your help! I am trying to get this to work. Can you tell me what my $MyIpAddrInfo = \%MIAI; does? I am getting 

HASH(0x8133528)

for $MyIpAddrInfo  if I print it out after the:

$MyIpAddrInfo->{$ip}++;


Ryan Lamberton



----- Original Message ----- 
From: "Wagner, David --- Senior Programmer Analyst --- WGO" 
<[EMAIL PROTECTED]>

To: "FamiLink Admin" <[EMAIL PROTECTED]>
Cc: <beginners@perl.org>
Sent: Wednesday, September 28, 2005 5:53 PM
Subject: RE: a little help...


FamiLink Admin wrote:

I am only concerned about the IP.  The rest is just to verify the
data for now.  What code would I use to key the $IP in to hash for
counting?.  Most of the IP's are not static but are from broadband
and don't change too often.  An example log is:

-------------
[2005-09-28 10:05:03 -7:00] 127.0.0.1 71.32.59.249 216.163.137.3 -
http://www.playboy.com/ blocked 0 PO
-------------
 the IP I want to count is 71.32.59.249 (for this log) and the
category is PO


I would do something like:
my %MIAI = ();
my $MyIpAddrInfo = \%MIAI;

Now as you go through the scan loop, you would take the if which is doing 
the check on the $flag and the do something like $MyIpAddInfo->{$ip}++;

Now you complete your scan and then run throuh your loop like:

foreach $MyIpAddr (sort keys %{MyIpAddrInfo}) {

next if ( $MyIpAddrInfo->{MyIpAddr} <= $blocklimit ); # if less than or 
equal get next key

# write your suspend and you could put together your email at the same time
}

A start.

Wags ;)


Ryan Lamberton


----- Original Message -----
From: "Wagner, David --- Senior Programmer Analyst --- WGO"
<[EMAIL PROTECTED]>
To: "FamiLink Admin" <[EMAIL PROTECTED]>
Cc: <beginners@perl.org>
Sent: Wednesday, September 28, 2005 5:18 PM
Subject: RE: a little help...


FamiLink Admin wrote:

Jeff ,
Thanks for all your help!  This is what I have now (below and this
time the whole thing):   I think I have included all that you talked
about plus others:

The sub scanlog does write the information to the files but it does
not return anything back to the main program and I also get the
error:

Use of uninitialized value in split at ./test.pl line 9.

Also, is there a better way of counting the number of times each IP
address gets blocked with category PO?   Each time I get to the
blocklimit it writes to the file but I really just want the max
number of blocks over the limit. It will write the same IP each time
it gets over the blocklimit though.



If you are only concerned about $ip and if they went over that limit
and not desiring the detail of said offense, then you could use the
$ip as a key into a hash. Then you could count all the occurances. At
the conclusion of that processing then you could loop through the
hash and any count greater than your max, then you could write to the
suspend file.  For email, then could again use the hash to put
together a list of $ip's that are over your limit.

I have not followed the topic, but unless you do something with the
$ip, I would assume that the log is just that a log. You would have
interspersed $ip and so I am unsure how you would be able to say $ip
is at fault. I see nothing in your code which isolates to the $ip.
Again, are these static ip addr or when someone logs out, they are
ready for use by someone else.  If it is released then you have to
figure out when this occurs to get an accurate rcd. If static, then
not a problem.

Wags ;)




------------------------------------------------------------------------------
#!/usr/bin/perl -w require Mail::Send;
$|=1;           # no buffering
use constant IP_LIST_FILE => "/etc/squid/iplist.txt";
use constant SUSPEND_FILE => "/etc/squid/SuspendIpList.txt";
use constant LOG_FILE => "/opt/n2h2/logs/filter_log";
my $sysop = "[EMAIL PROTECTED]";
my $flag = "PO";
my $hour = (split, localtime)[2];
my $blocklimit = 5;
my $matches = 0;
my $matched = 0;
{
        ($matched,$ip,$hour,$time,$category,$url) =
&Scanlog($flag,$hour,$blocklimit,$matches,);
        if($matched > $blocklimit){
          $msg = new Mail::Send Subject=>'SuspendIpList',
          To=>"$sysop"; $fh = $msg->open;
          print $fh "Someone has tried to access $matches banned
          sites today\n"; print $fh "Their IP address ($ip) has been
added to /etc/squid/SuspendIpList.txt\n";
          print $fh "To unblock them, remove their entry from the
file and run squid -k reconfigure\n";
          print $fh "$matches, $ip, $hour, $time, $category, $url\n";
          $fh->close;         # complete the message and send it
       $matched = 0; }
        else{
        open my $output2, ">", SUSPEND_FILE or die "Can't write
         @{[SUSPEND_FILE]}: $!"; print $output2 "10.0.0.252/32\n";
        close $output2;
       }
}
sub Scanlog {
        my ($flag,$hour,$blocklimit,$matches,)[EMAIL PROTECTED];
        open my $slog, "-|", "tail -n 25000  @{[LOG_FILE]}" or die
        "Unable to open $log:$!\n"; open my $output, ">",
        IP_LIST_FILE or die "Can't write @{[IP_LIST_FILE]}: $!";
        open my $output2, ">", SUSPEND_FILE or die "Can't write
           @{[SUSPEND_FILE]}: $!"; while (my $line = <$slog>){     #
           assigns each line in turn to $line #use an array slice to
           select the fields we want my ($time, $ip, $url,
             $category) = (split " ", $line)[1,4,7,10]; my ($hr) =
                split /:/, $time; if($flag eq $category and $hr eq
             $hour){ $matches += 1 ; }
             if($matches > $blocklimit){
                print $output "$matches, $ip, $hour, $time,
                $category, $url\n"; print $output2 "$ip/32\n";
                $matched = $matches;
                $matches = 0;
             }
        }
        close $output;
        close $output2;
        return($matched,$ip,$hour,$time,$category,$url); }



------------------------------------------------------------------
Ryan Lamberton


----- Original Message -----
From: "Jeff 'japhy' Pinyan" <[EMAIL PROTECTED]>
To: "FamiLink Admin" <[EMAIL PROTECTED]>
Cc: <beginners@perl.org>
Sent: Wednesday, September 28, 2005 12:24 PM
Subject: Re: a little help...



On Sep 28, FamiLink Admin said:


I am trying to read a log file and get a list of how many times an
IP address get blocked each hour by category PO.  An example line
in the log with a block is: -------------
[2005-09-28 10:05:03 -7:00] 127.0.0.1 71.32.59.249 216.163.137.3 -
http://www.playboy.com/ blocked 0 PO
-------------
What I have kinda works but I am not sure if it is the best
practice. This is the first time programming in perl and this is
what I have so far:


Your indentation leaves much to be desired, so I've "fixed" it.


sub Scanlog {
  local($ipb) = @_;


No reason to use 'local'; stick with 'my' here.  But... what is
$ipb?  You don't use it anywhere!


  open my $slog, "-|", "tail -n 50000 $log" or die "Unable to open
  $log:$!\n"; open (OUTPUT,">/etc/squid/iplist.txt");
  open (OUTPUT2,">/etc/squid/SuspendIpList.txt");


You should also die if neither of those could be opened:

    open(OUTPUT, ">...") or die "can't create
/etc/squid/iplist.txt: $!";


  while (<$slog>){     # assigns each line in turn to $_
    # use an array slice to select the fields we want
    @data = (split ,$_)[1,4,10,5,7];
    $hr = (split /:/ ,$data[0])[0];
    $ip = "$data[1]";


Those three variables should all be declared with 'my'.  Your line
assigning to @data has a typo that hasn't effected you, but it
might eventually.

      my @data = (split)[1,4,10,5,7];  # why out of order?
      my $hr = (split /:/, $data[0])[0];
      my $ip = $data[1];  # no need to quote $data[1] here


    if ($flag eq $data[2]) {


Where is $flag coming from?


      if ($hr eq $hour) {


Where is $hour coming from?

Those two if statements can be combined into one, since you don't do
anything if they aren't both true.

      if ($flag eq $data[2] and $hr eq $hour) {


        foreach (/$data[2]/) {
          $matches += 1 ;
        }


I have a feeling this could lead to false positives.  How do you
know that 'PO' (or whatever else $data[2] might hold) won't appear
in the URL, for instance?  Perhaps this should just be

          $matches++;

But where is $matches coming from?!


        if ($matches > $blocklimit) {


Where does $blocklimit come from?!


          $ip1 = "$data[1]/32";


Declare that with 'my'.


          print OUTPUT "$matches,", "$hour, ","$ip1, ",
"@data","\n";


You could just write that as

  print OUTPUT "$matches, $hour, $data[1]/32 @data\n";


          print OUTPUT2 "$ip1\n";
          $matched = $matches;
          $matches = 0;


Where did $matched come from?


        }
      }
    }
  }
  close (OUTPUT);
  close (OUTPUT2);
}


You should not use any variables in a function that you did not
pass to it or create IN it.

--
Jeff "japhy" Pinyan        %  How can we ever be the sold short or
RPI Acacia Brother #734    %  the cheated, we who for every service
http://www.perlmonks.org/  %  have long ago been overpaid?
http://princeton.pm.org/   %    -- Meister Eckhart

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>




*******************************************************
This message contains information that is confidential
and proprietary to FedEx Freight or its affiliates.
It is intended only for the recipient named and for
the express purpose(s) described therein.
Any other use is prohibited.
*******************************************************



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
























					Reply via email to