I get tons of port scans a day.

I have all port scans periodically moved into another file (which was easy for me to learn how to do, grin).. but it's a lengthy procedure running through all of the IP addresses and such.

here is the log entries:

Dec 4 02:13:14 server kernel: Packet log: input DENY ppp0 PROTO=6 63.161.207.199:2417 209.212.133.4
7:139 L=48 S=0x00 I=24870 F=0x4000 T=116 SYN (#37)

My question: Can perl somehow run through each line, log the date, and when it finds "PROTO=x" it will store that into a variable, then can it move two : (semicolons) and log the port number which the scan was intended for? (can perl log from characterX to characterY or can it just store X amount of spaces?) which would then store that into a variable as well.. and could then perl (dynamically?) create a file to store each result and just loop it till EoF?

I'm pretty sure I could do the last part of what I'm asking.. but could someone help me write a little perl script to handle the first part?

thanks in advance,

~kyle

here's a start for you. i'd suggest reading up on perl.... www.perl.com (http://www.perl.com) has tutorials.



#!/usr/bin/perl -w
#this hasn't been tested or even checked for bugs
#run thisscript <logfile>
#
#first lets get the name of the logfile
#from the command line
#
#if there is no argument on the command line
# then bail out with an error
if (! ($#ARGV>=0) ) {die "$0: usage: $0 <filename>\n";}
#
#now open the file. as is, this will (i think)
#only except file names with letters, numbers, and a few extra characters
#(it strips off any weird characters)
$ARGV[0]=~tr/a-zA-Z0-9._//cd;
open (INFILE, "$ARGV[0]") or die "Cannot open $ARGV ($!)\n";
#
#now we parse the file
while (<INFILE>)
{
#basically the regexp says if
# "^" starting from the beginning of the line, there exists
# "[a-zA-Z]{3}" any 3 letters (ie, the
#month abbreviation), then
# "\s*" any number of spaces, and then
# "[0-9]{1,2}" one or two numbers (the day
# of the month,
# ".+$" followed by any combination of characters (at least one as this is stated)
#until the end of the line, then copy the
#stuff between the ()s in the regex to $1
if (/^([a-zA-Z]{3}\s*[0-9]{1,2}).+$/)
{
#here we print the date we just extracted
print "$1\n";
}
}


ok, so i lied, i did test it. anyway, do a man perl, it shoulld list all the other manfiles... they are fairly well written and some are tutorials, there are also good tutorials on www.perl.com (http://www.perl.com) (especially here (http://www.perl.com/reference/query.cgi?tutorials)). this should get you started at least

------------------
"Assembly of Japanese bicycle require great peace of mind."
Registered Linux User #188285 http://counter.li.org/
------------------