FamiLink Admin wrote:
> David,
> Thank you for your help! I am trying to get this to work. Can you
> tell me what my $MyIpAddrInfo = \%MIAI; does? I am getting
This is making $MyIpAddInfo a refeence to %MIAI so to access the data
you use the -> as the connector vs $MIAI{}.
>
> HASH(0x8133528)
>
> for $MyIpAddrInfo if I print it out after the:
Since you have only given me this, it should be and I looked at whait i
sent you:
foreach $MyIpAddr (sort keys %{MyIpAddrInfo}) {
next if ( $MyIpAddrInfo->{MyIpAddr} <= $blocklimit ); # if less than or
equal get next key
the best way to see what you have is using Data::Dumper.
Add a use Data::Dumper at top of script.
I then would add at a high level:
$Data::Dumper::Sortkeys = 1; # sort the keys when printing.
Then you can do something like:
print Dumper(\%{$MyIpAddrInfo}); # in thise case will go to std out. if
a lot of data, then open a disk file and write to that.
Also you can before the print place this line:
$Data::Dumper::Varname = 'MyIpAddrInfo'; # this is name will appear at
the beginning of the output
print Dumper(\%{$MyIpAddrInfo}); # in thise case will go to std out.
# if a lot of data, then open a
disk file and write to
Wags ;)
>
> $MyIpAddrInfo->{$ip}++;
>
>
> Ryan Lamberton
>
>
> ----- Original Message -----
> From: "Wagner, David --- Senior Programmer Analyst --- WGO"
> <[EMAIL PROTECTED]>
> To: "FamiLink Admin" <[EMAIL PROTECTED]>
> Cc: <[email protected]>
> Sent: Wednesday, September 28, 2005 5:53 PM
> Subject: RE: a little help...
>
>
> FamiLink Admin wrote:
>> I am only concerned about the IP. The rest is just to verify the
>> data for now. What code would I use to key the $IP in to hash for
>> counting?. Most of the IP's are not static but are from broadband
>> and don't change too often. An example log is:
>>
>> -------------
>> [2005-09-28 10:05:03 -7:00] 127.0.0.1 71.32.59.249 216.163.137.3 -
>> http://www.playboy.com/ blocked 0 PO
>> -------------
>> the IP I want to count is 71.32.59.249 (for this log) and the
>> category is PO
>>
> I would do something like:
> my %MIAI = ();
> my $MyIpAddrInfo = \%MIAI;
> Now as you go through the scan loop, you would take the if which is
> doing the check on the $flag and the do something like
> $MyIpAddInfo->{$ip}++; Now you complete your scan and then run throuh
> your loop like:
>
> foreach $MyIpAddr (sort keys %{MyIpAddrInfo}) {
> next if ( $MyIpAddrInfo->{MyIpAddr} <= $blocklimit ); # if less than
> or equal get next key
> # write your suspend and you could put together your email at the
> same time }
>
> A start.
>
> Wags ;)
>
>> Ryan Lamberton
>>
>>
>> ----- Original Message -----
>> From: "Wagner, David --- Senior Programmer Analyst --- WGO"
>> <[EMAIL PROTECTED]>
>> To: "FamiLink Admin" <[EMAIL PROTECTED]>
>> Cc: <[email protected]>
>> Sent: Wednesday, September 28, 2005 5:18 PM
>> Subject: RE: a little help...
>>
>>
>> FamiLink Admin wrote:
>>> Jeff ,
>>> Thanks for all your help! This is what I have now (below and this
>>> time the whole thing): I think I have included all that you
>>> talked about plus others:
>>>
>>> The sub scanlog does write the information to the files but it does
>>> not return anything back to the main program and I also get the
>>> error:
>>>
>>> Use of uninitialized value in split at ./test.pl line 9.
>>>
>>> Also, is there a better way of counting the number of times each IP
>>> address gets blocked with category PO? Each time I get to the
>>> blocklimit it writes to the file but I really just want the max
>>> number of blocks over the limit. It will write the same IP each time
>>> it gets over the blocklimit though.
>>
>>
>> If you are only concerned about $ip and if they went over that limit
>> and not desiring the detail of said offense, then you could use the
>> $ip as a key into a hash. Then you could count all the occurances. At
>> the conclusion of that processing then you could loop through the
>> hash and any count greater than your max, then you could write to the
>> suspend file. For email, then could again use the hash to put
>> together a list of $ip's that are over your limit.
>>
>> I have not followed the topic, but unless you do something with the
>> $ip, I would assume that the log is just that a log. You would have
>> interspersed $ip and so I am unsure how you would be able to say $ip
>> is at fault. I see nothing in your code which isolates to the $ip.
>> Again, are these static ip addr or when someone logs out, they are
>> ready for use by someone else. If it is released then you have to
>> figure out when this occurs to get an accurate rcd. If static, then
>> not a problem.
>>
>> Wags ;)
>>
>>
>>>
>>> ------------------------------------------------------------------------------
>>> #!/usr/bin/perl -w require Mail::Send;
>>> $|=1; # no buffering
>>> use constant IP_LIST_FILE => "/etc/squid/iplist.txt";
>>> use constant SUSPEND_FILE => "/etc/squid/SuspendIpList.txt";
>>> use constant LOG_FILE => "/opt/n2h2/logs/filter_log";
>>> my $sysop = "[EMAIL PROTECTED]";
>>> my $flag = "PO";
>>> my $hour = (split, localtime)[2];
>>> my $blocklimit = 5;
>>> my $matches = 0;
>>> my $matched = 0;
>>> {
>>> ($matched,$ip,$hour,$time,$category,$url) =
>>> &Scanlog($flag,$hour,$blocklimit,$matches,);
>>> if($matched > $blocklimit){
>>> $msg = new Mail::Send Subject=>'SuspendIpList',
>>> To=>"$sysop"; $fh = $msg->open;
>>> print $fh "Someone has tried to access $matches banned
>>> sites today\n"; print $fh "Their IP address ($ip) has been
>>> added to /etc/squid/SuspendIpList.txt\n";
>>> print $fh "To unblock them, remove their entry from the
>>> file and run squid -k reconfigure\n";
>>> print $fh "$matches, $ip, $hour, $time, $category,
>>> $url\n"; $fh->close; # complete the message and
>>> send it $matched = 0; } else{
>>> open my $output2, ">", SUSPEND_FILE or die "Can't write
>>> @{[SUSPEND_FILE]}: $!"; print $output2 "10.0.0.252/32\n";
>>> close $output2; }
>>> }
>>> sub Scanlog {
>>> my ($flag,$hour,$blocklimit,$matches,)[EMAIL PROTECTED];
>>> open my $slog, "-|", "tail -n 25000 @{[LOG_FILE]}" or die
>>> "Unable to open $log:$!\n"; open my $output, ">",
>>> IP_LIST_FILE or die "Can't write @{[IP_LIST_FILE]}: $!";
>>> open my $output2, ">", SUSPEND_FILE or die "Can't write
>>> @{[SUSPEND_FILE]}: $!"; while (my $line = <$slog>){ #
>>> assigns each line in turn to $line #use an array slice to
>>> select the fields we want my ($time, $ip, $url,
>>> $category) = (split " ", $line)[1,4,7,10]; my ($hr) =
>>> split /:/, $time; if($flag eq $category and $hr eq
>>> $hour){ $matches += 1 ; }
>>> if($matches > $blocklimit){
>>> print $output "$matches, $ip, $hour, $time,
>>> $category, $url\n"; print $output2 "$ip/32\n";
>>> $matched = $matches;
>>> $matches = 0;
>>> }
>>> }
>>> close $output;
>>> close $output2;
>>> return($matched,$ip,$hour,$time,$category,$url); }
>>>
>>>
>>>
>>> ------------------------------------------------------------------
>>> Ryan Lamberton
>>>
>>>
>>> ----- Original Message -----
>>> From: "Jeff 'japhy' Pinyan" <[EMAIL PROTECTED]>
>>> To: "FamiLink Admin" <[EMAIL PROTECTED]>
>>> Cc: <[email protected]>
>>> Sent: Wednesday, September 28, 2005 12:24 PM
>>> Subject: Re: a little help...
>>>
>>>
>>>> On Sep 28, FamiLink Admin said:
>>>>
>>>>> I am trying to read a log file and get a list of how many times an
>>>>> IP address get blocked each hour by category PO. An example line
>>>>> in the log with a block is: -------------
>>>>> [2005-09-28 10:05:03 -7:00] 127.0.0.1 71.32.59.249 216.163.137.3 -
>>>>> http://www.playboy.com/ blocked 0 PO
>>>>> -------------
>>>>> What I have kinda works but I am not sure if it is the best
>>>>> practice. This is the first time programming in perl and this is
>>>>> what I have so far:
>>>>
>>>> Your indentation leaves much to be desired, so I've "fixed" it.
>>>>
>>>>> sub Scanlog {
>>>>> local($ipb) = @_;
>>>>
>>>> No reason to use 'local'; stick with 'my' here. But... what is
>>>> $ipb? You don't use it anywhere!
>>>>
>>>>> open my $slog, "-|", "tail -n 50000 $log" or die "Unable to open
>>>>> $log:$!\n"; open (OUTPUT,">/etc/squid/iplist.txt");
>>>>> open (OUTPUT2,">/etc/squid/SuspendIpList.txt");
>>>>
>>>> You should also die if neither of those could be opened:
>>>>
>>>> open(OUTPUT, ">...") or die "can't create
>>>> /etc/squid/iplist.txt: $!";
>>>>
>>>>> while (<$slog>){ # assigns each line in turn to $_
>>>>> # use an array slice to select the fields we want
>>>>> @data = (split ,$_)[1,4,10,5,7];
>>>>> $hr = (split /:/ ,$data[0])[0];
>>>>> $ip = "$data[1]";
>>>>
>>>> Those three variables should all be declared with 'my'. Your line
>>>> assigning to @data has a typo that hasn't effected you, but it
>>>> might eventually.
>>>>
>>>> my @data = (split)[1,4,10,5,7]; # why out of order?
>>>> my $hr = (split /:/, $data[0])[0];
>>>> my $ip = $data[1]; # no need to quote $data[1] here
>>>>
>>>>> if ($flag eq $data[2]) {
>>>>
>>>> Where is $flag coming from?
>>>>
>>>>> if ($hr eq $hour) {
>>>>
>>>> Where is $hour coming from?
>>>>
>>>> Those two if statements can be combined into one, since you don't
>>>> do anything if they aren't both true.
>>>>
>>>> if ($flag eq $data[2] and $hr eq $hour) {
>>>>
>>>>> foreach (/$data[2]/) {
>>>>> $matches += 1 ;
>>>>> }
>>>>
>>>> I have a feeling this could lead to false positives. How do you
>>>> know that 'PO' (or whatever else $data[2] might hold) won't appear
>>>> in the URL, for instance? Perhaps this should just be
>>>>
>>>> $matches++;
>>>>
>>>> But where is $matches coming from?!
>>>>
>>>>> if ($matches > $blocklimit) {
>>>>
>>>> Where does $blocklimit come from?!
>>>>
>>>>> $ip1 = "$data[1]/32";
>>>>
>>>> Declare that with 'my'.
>>>>
>>>>> print OUTPUT "$matches,", "$hour, ","$ip1, ",
>>>>> "@data","\n";
>>>>
>>>> You could just write that as
>>>>
>>>> print OUTPUT "$matches, $hour, $data[1]/32 @data\n";
>>>>
>>>>> print OUTPUT2 "$ip1\n";
>>>>> $matched = $matches;
>>>>> $matches = 0;
>>>>
>>>> Where did $matched come from?
>>>>
>>>>> }
>>>>> }
>>>>> }
>>>>> }
>>>>> close (OUTPUT);
>>>>> close (OUTPUT2);
>>>>> }
>>>>
>>>> You should not use any variables in a function that you did not
>>>> pass to it or create IN it.
>>>>
>>>> --
>>>> Jeff "japhy" Pinyan % How can we ever be the sold short or
>>>> RPI Acacia Brother #734 % the cheated, we who for every service
>>>> http://www.perlmonks.org/ % have long ago been overpaid?
>>>> http://princeton.pm.org/ % -- Meister Eckhart
>>>>
>>>> --
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>>
>>
>>
>> *******************************************************
>> This message contains information that is confidential
>> and proprietary to FedEx Freight or its affiliates.
>> It is intended only for the recipient named and for
>> the express purpose(s) described therein.
>> Any other use is prohibited.
>> *******************************************************
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
