> I don't understand why you're /adding/ the match count $x to the hash value
> each
> time. Is that why you're getting values that you don't expect?
>
> If the first column of your output is supposed to be a count (for that source
> address, connection, or port) then you should be adding one each time, not the
> current match count.
>
> Does the program below help you at all?
>
> Rob
>
>
>
> use strict;
> use warnings;
>
> my $re = qr/
> Sig:\s*(\d+)\s+ # $1
> Subsig:\s*(\d+)\s+ # $2
> Sev:\s*(\d+)\s+ # $3
> (.*?)\s+ # $4
> \[
> ([\d.]+):(\d+)\s*->\s*([\d.]+):(\d+) # $5:$6 -> $7:$8
> \]
> /x;
>
>
>
> my ( %srca, %quad, %port );
>
> while (<DATA>) {
> next unless /$re/;
> my $conn = sprintf '%-16s -> %-16s Port %-6s %-s', $5, $7, $8, $4;
> my $port = sprintf 'Sig %-6s Severity %-2s', $1, $2;
> $srca{$5}++;
> $quad{$conn}++;
> $port{$port}++;
> }
>
> print "\nSource Address Summary:\n";
> foreach my $i ( sort { $srca{$b} <=> $srca{$a} } keys %srca) {
> printf ("%6s: %s\n", $srca{$i},$i);
> }
>
> print "\nConnection Summary:\n";
> foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad) {
> printf ("%6s: %s\n", $quad{$i},$i);
> }
>
> print "\nDestination Port Summary:\n";
> foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
> printf ("%6s: %s\n", $port{$i},$i);
> }
>
> __DATA__
> Sep 24 00:41:13 172.16.2.1 184512: 3725router: Sep 24 04:56:58:
> %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS
> [71.7.229.205:4693 -> 68.156.62.111:49613]
> Sep 23 21:11:58 172.16.2.1 180743: 3725router: Sep 24 01:27:10:
> %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS [91.97.234.152:0
> -> 68.156.62.111:0]
Rob, that does help. It appears I was adding instead of incrementing.
I'm getting what appears to be some pretty accurate counts now. I also
like the way the regex is broken up making it easier to understand.
Thank you and everyone else for helping out!
Here's the unpolished version:
#!/usr/bin/perl
use strict;
use warnings;
#http://code.google.com/p/cisco-log-parser/
my $log='/var/log/cisco.log';
my $ntop=10;
my $sig = $ARGV[ 0 ] || '.*';
open LOG, '<', $log or die "Cannot open '$log' $!";
my $re = qr/
IPS-4-SIGNATURE:\s+ # Initial Pattern
Sig:\s*(\d+)\s+ # $1
Subsig:\s*(\d+)\s+ # $2
Sev:\s*(\d+)\s+ # $3
(.*?)\s+ # $4
\[
([\d.]+):(\d+)\s*->\s*([\d.]+):(\d+) # $5:$6 -> $7:$8
\]
/x;
my ( %mess, %quad, %port );
while (<LOG>) {
next unless /$re/;
my $summ = sprintf '%-9s %-s', $1, $4;
my $conn = sprintf '%-16s %-5s -> %-16s %-5s', $5, ,$6, $7, $8;
my $port = sprintf '%-6s %-6s %-6s', $1, $2, $3;
$mess{$summ}++;
$quad{$conn}++;
$port{$port}++;
}
my $n;
print "\nMost Frequent IPS Messages:\n";
print "Number Signature Message\n";
foreach my $i ( sort { $mess{$b} <=> $mess{$a} } keys %mess) {
if ($n++ >= $ntop) { last };
printf ("%5s: %s\n", $mess{$i},$i);
}
$n=0;
print "\nConnection Summary:\n";
print "Number Source Destination\n";
foreach my $i ( sort { $quad{$b} <=> $quad{$a} } keys %quad) {
if ($n++ >= $ntop) { last };
printf ("%5s: %s\n", $quad{$i},$i);
}
$n=0;
print "\nSignature Information:\n";
print "Number Sig Subsig Severity\n";
foreach my $i ( sort { $port{$b} <=> $port{$a} } keys %port) {
if ($n++ >= $ntop) { last };
printf ("%5s: %s\n", $port{$i},$i);
}
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
