Stephen Reese wrote:
> John W. Krahn wrote:
>>
>> Have a look at the sample data you posted and you will see where.
>
> I believe I found where the ']' needs to go but didn't see any extra ' '
> space.
>
> The $x count seems off. As I see it every time a regex match is made then $x
> will increase one. The match numbers results are about 5x greater then what
> they should be after correlating my grep findings with the perl output.
>
> my ( %srca, %quad, %port );
> my $x;
>
> while (<LOG>) {
> next unless
> /Sig:\s*(\d+)\s+Subsig:\s*(\d+)\s+Sev:\s*(\d+)([^\[]+)\[([\d\.]+):(\d+)\s*->
> \s*([\d\.]+):(\d+)\]/;
> $x++;
> $srca{ $5 } += $x;
> $quad{ sprintf '%-16s -> %-16s Port %-6s %-s', $5, $7, $8, $4 } +=
> $x;
> # $port{ sprintf 'port %-6s %-16s %-s', $1, $5, $4 } += $x;
> # $port{ sprintf 'port %-6s %-s', $1, $4 } += $x;
> $port{ sprintf 'Sig %-6s Severity %-2s', $1, $2 } += $x;
> }
> my $n;
>
> print "\nSource Address Summary:\n";
> foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
> if ($n++ >= $ntop) { last };
> printf ("%6s: %s\n", $srca{$i},$i);
> }
> $n=0;
>
> print "Connection Summary:\n";
> foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad) {
> if ($n++ >= $ntop) { last };
> printf ("%6s: %s\n", $quad{$i},$i);
> }
> $n=0;
>
> print "\nDestination Port Summary:\n";
> foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
> if ($n++ >= $ntop) { last };
> printf ("%6s: %s\n", $port{$i},$i);
> }
I don't understand why you're /adding/ the match count $x to the hash value each
time. Is that why you're getting values that you don't expect?
If the first column of your output is supposed to be a count (for that source
address, connection, or port) then you should be adding one each time, not the
current match count.
Does the program below help you at all?
Rob
use strict;
use warnings;
my $re = qr/
Sig:\s*(\d+)\s+ # $1
Subsig:\s*(\d+)\s+ # $2
Sev:\s*(\d+)\s+ # $3
(.*?)\s+ # $4
\[
([\d.]+):(\d+)\s*->\s*([\d.]+):(\d+) # $5:$6 -> $7:$8
\]
/x;
my ( %srca, %quad, %port );
while (<DATA>) {
next unless /$re/;
my $conn = sprintf '%-16s -> %-16s Port %-6s %-s', $5, $7, $8, $4;
my $port = sprintf 'Sig %-6s Severity %-2s', $1, $2;
$srca{$5}++;
$quad{$conn}++;
$port{$port}++;
}
print "\nSource Address Summary:\n";
foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
printf ("%6s: %s\n", $srca{$i},$i);
}
print "\nConnection Summary:\n";
foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad) {
printf ("%6s: %s\n", $quad{$i},$i);
}
print "\nDestination Port Summary:\n";
foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
printf ("%6s: %s\n", $port{$i},$i);
}
__DATA__
Sep 24 00:41:13 172.16.2.1 184512: 3725router: Sep 24 04:56:58:
%IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS
[71.7.229.205:4693 -> 68.156.62.111:49613]
Sep 23 21:11:58 172.16.2.1 180743: 3725router: Sep 24 01:27:10:
%IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS [91.97.234.152:0
-> 68.156.62.111:0]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
