On Fri, 30 May 2003, Tony wrote:
> Good Evening all,
>
> I'm sorry to ask a question like this, but here goes. I want to expand
> weblet a little and would like some pointers. I'm currently running weblet
> 1.2 under Bering v1.1. I like the screens where you can view the hits by
> either port or sorted IP address. What I want to do is, add the
> functionality of the IP address screen to the port screen.
>
> On the IP screen, the addresses are clickable to view the actual hits the IP
> was associated with. What I would like to do is have the ports be clickable
> to view a sorted list of IP addresses. So if I clicked port 53, I could get
> a listing of all the IP's who hit that port. I could then get the offending
> IP's without having to plow through the current IP list to see who hit what
> port.
>
> Did I describe that clearly enough? I viewed the code to see how the
> different pages are rendered and how the sub routines are called, but I
> don't really know sed. I'm not sure where to start.
>
> Any pointers would be helpful.
Be sure you recognize that you need to know HTML and CGI concepts also.
But if sed is the issue for you, then really, you _do_ know where to
start.
I would suggest "man sed", "man 7 regex", and Google "regular expression".
A brief decomposition of the "hitssort" option in "viewhits" to get you
started (from an old version of weblet, so my comments may not apply to
the current version):
###########################################################################
HEAD='<tr><td width="20%">Hits</td><td>IP-Adress</td><td>Date</td></tr>'
AUS=`grep "Shorewall:" /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\<td\>\<a
href=\"viewhits?x_\3\"\>\3\<\/a\><\/td\>\<td\>\1\<\/td\>\<\/tr\>/'|\
sort |uniq -c | sort -rn |sed 's/^/\<tr\>\<td\>/'`
titel="hits sorted by frequency and ip address"
###########################################################################
This is three shell variable assignments used later in the script. The
second one uses the backtick operator to invoke a pipeline to take
/var/log/messages and reformat lines containing "Shorewall:". The
pipeline has six commands:
###########################################################################
grep "Shorewall:" /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\<td\>\<a
href=\"viewhits?x_\3\"\>\3\<\/a\><\/td\>\<td\>\1\<\/td\>\<\/tr\>/'|\
sort |\
uniq -c |\
sort -rn |\
sed 's/^/\<tr\>\<td\>/'
###########################################################################
You can invoke subsets of this pipeline interactively at the shell prompt
to see what it is doing, like
###########################################################################
grep "Shorewall:" /var/log/messages
###########################################################################
or
###########################################################################
grep "Shorewall:" /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\<\/td\>\<td\>\<a
href=\"viewhits?x_\3\"\>\3\<\/a\><\/td\>\<td\>\1\<\/td\>\<\/tr\>/'
###########################################################################
The sed invocation is using the "substitute" command (s/x/y/). In this
case every line in the input is expected to match this command, so every
line will have this substitution applied. sed requires an inordinate
amount of "escaping" to protect special characters, so the pattern it is
searching for is really:
###########################################################################
(.{6})(.*SRC=)(.*)( DST=.*)
###########################################################################
.{6} matches any six consecutive characters, while .* matches any zero or
more characters. The "*" notation is "greedy" so the largest number of
characters possible is used... which effectively pushes the .{6} up
against the beginning of each line of input, where the date (e.g. "May
31") is found. The second .* grabs all the characters between SRC= and
the space before DST=. Note that this is not the only way this could be
expressed... I would have written this search pattern as
###########################################################################
^(.{6}).*SRC=(.*) DST=.*$
###########################################################################
which would "anchor" the six characters to be grabbed from the beginning
of the line, would not "remember" (with parentheses) all that junk that
isn't going to be used later, and would clearly show that the pattern was
to extend to the end of the line.
Which brings us to sub-matches... the matched portions of the pattern that
fall inside the parentheses. The s/x/y/ command replaces the x with y,
where y in this case is (really one line)
###########################################################################
\<\/td\>\<td\>\<a
href=\"viewhits?x_\3\"\>\3\<\/a\><\/td\>\<td\>\1\<\/td\>\<\/tr\>
###########################################################################
or, more readably
###########################################################################
</td><td><a href="viewhits?x_\3">\3</a></td><td>\1</td></tr>
###########################################################################
where "\3" gets replaced with whatever matched the third set of
parentheses, and so forth.
So...
a) modify viewhits?portsort to include an "a" tag invocation of
viewhits?p_nnn for each destination port where nnn is the port number.
b) modify viewhits to add processing for the "p" option based on the
existing "x" option code.
c) post it (perhaps in leaf-devel?) when you get it working.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
