Monks,
I'm in need of you assistance (once again). I have a script that goes through a firewall log file and extracts certain entries. Well, I'm trying to make this script "smarter" by ignoring entries that I dont' care about. For example, I don't care about any entries that are flagged by
what is referred to as rule 0. Here is my subroutine that is doing this as well as collecting the "evidence":
######################################################
# evidence: Open up the log file, search for
# the ip, add to array, split array into 15
# lines, test if array is empty or not.
#####################################################
sub evidence {
my ($count1, $action, $src);
foreach (@data){
($action,$src) = (split /;/)[5,10];
next if m/\b0\b/; #skip any rule 0 matches
next if m/^\s*$/; #skip any empty lines
if ($action eq 'drop' && $src =~ /$ip/){
push (@fwlog, $_);
$count1++ if $src =~ /$ip/;
last if $count1 >= 16;
}
}
# Test if the fwlog array is empty
if (@fwlog) {
} else {
return;
}
}
That is working well, but the problem is, I'm only exiting out of the evidence sub, and the rest of the script continues to execute. I would like for the script to compeletly skip this ip address entirely and move onto the next one. I was thinking a LABEL might work, but this is not being executed in a while loop. Here is the rest of the pertaint parts of the script (note, these subs are called before the evidence sub):
# Run the script against each ip address
foreach my $x (0 .. $#ips){
&check($ips[$x][0], $ips[$x][1]);
}
&check();
my (@data, @fwlog, $ip, $times, $result);
######################################################################
# check: See if the traffic is harmless. This is done by checking if
# the source ip remains constant and the service remains farily
# constant
######################################################################
sub check {
$ip = $_[0];
$times = $_[1];
my ($rule, $dst, $service, @service, @dst, $count);
open (OUTFILE, $outfile) or die "Can't open $outfile: $!";
while (<OUTFILE>){
push (@data, $_) if $_ =~ /$ip/;
}
close OUTFILE;
foreach (@data){
($dst, $service) = (split /;/)[11,12];
next if m/^\s*$/; #skip any empty lines
next if $rule =~ m/\b0\b/; #skip any rule 0 matches
push(@service, $service);
push(@dst, $dst);
}
@service = &duplicates(@service);
@dst = &duplicates(@dst);
foreach (@data){
$count++ if /\;$dst[0]\;/ && /\b$service[0]\b/;
}
&evidence();
if ($count == 0){
next;
} elsif ($count >= 75){
&misconfig();
} else {
&whois();
}
}
I appreciate any suggestions.
Thanks,
Dru
Another satisfied monk.