Flowfile newbie: followup
Peter Van Epp
vanepp at sfu.ca
Tue Nov 5 16:22:39 EST 2002
Since I haven't done it in a while I may as well spam this to the list
in case there is other interest :-):
port.pl (as an example of what can be done, prints out totals sorted in
reverse numeric order followed by what port (or ports) did the traffic which
is I think what you wanted. It will process the argus files supplied on the
input as in:
./port.pl archive/2002/11/04/*
modifying the basic script allows extracting almost anything. Dates are in
Time_t format to make arithmetic easier, changing ra.conf will change that.
#!/usr/bin/perl
use Socket;
require "/usr/local/bin/new_parse_argus_log.pl";
@files = @ARGV;
foreach $file ( @files ) {
open (IN, "/usr/local/bin/ra -F /data/ra.conf -I -c -p 6 -r $file |")
|| die "can't open $file $!";
# print STDERR "$file\n";
while (<IN>) {
$line ++;
if (($line % 10000) == 0) {
print STDERR "Processing $line\n";
}
chop;
&parse_argus_log("$_");
if ($type eq "man") {
# if this is a man stats line just skip it.
next;
}
if ($start_time eq "") {
$start_time = $date;
}
$data{$dst_port} += $src_bytes + $dst_bytes;
}
}
foreach $port (keys %data) {
$counts{$data{$port}} .= "\t$port\n";
}
foreach $count (sort numerically (keys %counts)){
$pcount = &commas($count);
print "$pcount\n$counts{$count}\n";
}
sub numerically {$b <=> $a;}
sub commas {
local($_) = @_;
1 while s/(.*\d)(\d\d\d)/$1,$2/;
$_;
}
---- end of port.pl ----
it needs argus-2.x and these supporting files (change to taste):
/data/ra.conf:
RA_FIELD_DELIMITER='\t'
RA_PRINT_HOSTNAMES=no
RA_PRINT_UNIX_TIME=yes
RA_PRINT_STARTIME=yes
RA_PRINT_LASTIME=yes
RA_USEC_PRECISION=6
--- end of ra.conf ---
/usr/local/bin/new_parse_argus_log.pl
sub main'parse_argus_log {
# Parse an argus log file line in to the variable listed below to
# make it easy to scan log files from a perl script.
local ($_) = @_;
local ($rest, $t, $p, $a,$b,$c,$d,$e,$f,$g,$h,$pk, $ex, $ob, $max);
$date = "";
$edate = "";
$flag = "";
$mid_flag = "";
$end_flag = "";
$type = "";
$src_ip = "";
$dst_ip = "";
$src_pkt = "";
$dst_pkt = "";
$src_bytes = "";
$dst_bytes = "";
$src_net ="";
$dst_net ="";
$src_port = "";
$dst_port = "";
( $date, $edate, $flag, $type, $src_ip, $src_port, $mid_flag,
$dst_ip, $dst_port, $src_pkt, $dst_pkt, $src_bytes, $dst_bytes, $end_flag) = split(/\t/, $_);
($a,$b,$c,$d)= split(/\./,$src_ip);
($e,$f,$g,$h)= split(/\./,$dst_ip);
if ($type eq "icmp") {
if ($end_flag eq "ECR") {
$src_port = "icmp ECR";
$dst_port = "icmp ECR";
} else {
$src_port = "icmp";
$dst_port = "icmp";
}
}
if ($src_port eq "") {
# For types that don't have ports insert the type as
# both ports.
$src_port = $type;
$dst_port = $type;
}
$src_net = "$a.$b.$c.";
$dst_net = "$e.$f.$g.";
}
# Return true if the argument is one of SFU's networks
sub main'is_our_net {
local ($_) = @_;
if (($_ =~ /^142\.58\./) ||
($_ =~ /^199\.60\.[1-9]\.|^199\.60\.1[0-8]\./) ||
($_ =~ /^192\.75\.24[0-7]\./) ||
($_ =~ /^204\.239\.18\./) ||
($_ =~ /^206\.12\.128\./) ||
($_ =~ /^206\.12\.17\./) ||
($_ =~ /^206\.12\.6\./) ||
($_ =~ /^206\.12\.30\./) ||
($_ =~ /^207\.23\.85\./) ||
($_ =~ /^207\.23\.86\./) ||
($_ =~ /^209\.87\.31\./)) {
return (1);
} else {
return (0);
}
}
sub main'is_bby {
local ($_) = @_;
if (($_ =~ /^142\.58\./) ||
($_ =~ /^199\.60\.[1-9]\.|^199\.60\.1[0-8]\./) ||
($_ =~ /^204\.239\.18\./) ||
($_ =~ /^206\.12\.128\./) ||
($_ =~ /^206\.12\.17\./) ||
($_ =~ /^206\.12\.6\./) ||
($_ =~ /^207\.23\.85\./) ||
($_ =~ /^207\.23\.86\./) ||
($_ =~ /^44\.135\.160\./) ||
($_ =~ /^44\.135\.172\./) ||
($_ =~ /^44\.135\.173\./) ||
($_ =~ /^224\./) ||
($_ =~ /^209\.87\.31\./)) {
return (1);
} else {
return (0);
}
}
sub main'is_hc {
local ($_) = @_;
if (($_ =~ /^192\.75\.24[0-7]\./) ||
($_ =~ /142\.231\.1\./) ||
($_ =~ /^206\.12\.30\./)) {
return (1);
} else {
return (0);
}
}
sub main'is_techbc {
local ($_) = @_;
if (($_ =~ /^209\.87\.56\./) ||
($_ =~ /^209\.87\.57\./) ||
($_ =~ /^209\.87\.58\./) ||
($_ =~ /^206\.12\.16\./)) {
return (1);
} else {
return (0);
}
}
1;
---- end of new_parse_argus_log.pl ----
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list