Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

tcpdump filter (sample use of Quantum::Superpositions)

by diotalevi (Canon)
on May 19, 2003 at 13:20 UTC ( [id://259141]=CUFP: print w/replies, xml ) Need Help??

This is a really simple demo of a real-world way to use Quantum::Superpositions. I use this to filter out a lot of the noise from my pf firewall logs and figured I'd share since I think that more people need to understand how useful the any() operator is. You'll get this right in the core of perl6.

Added: fixed qw(). I seem to have mistaken it with the regex flag /x.

use strict; use Quantum::Superpositions; our ($r, $ignore_src_ip, $ignore_src_prt, $ignore_dst_prt); INIT { my $r_date = "\\w+\\s+\\d+"; my $r_time = "[\\d:.]+"; my $r_ip = "\\d+\\.\\d+\\.\\d+\\.\\d+"; my $r_port = "\\d+"; my $r_dir = "[<>]"; my $r_text = ".+"; $r = qr[^($r_date)\s+($r_time)\s+($r_ip)\.($r_port)\s+($r_dir)\s+( +?:($r_ip)\.)?($r_port):\s+($r_text)]; $ignore_src_ip = any(qw[ 198.144.10.227 163.228.80.5 198.144.10.143 ]); $ignore_src_prt = 53; $ignore_dst_prt = any( 137, # NETBIOS Name Service 139, # NETBIOS Session Service 445, # Win2k+ Server Message Block 1434, # SQL Slammer / Sapphire worm ); } my ($date, $time, $src_ip, $src_prt, $dir, $dst_ip, $dst_prt, $text) = + /$r/; next if $src_ip eq $ignore_src_ip or $src_prt == $ignore_src_prt or $dst_prt == $ignore_dst_prt; print; __END__ May 17 20:38:18.469635 64.180.225.226.1025 > 137: udp 50 May 17 21:07:01.043863 202.108.249.21.1122 > 1434: udp 376 May 17 21:38:22.550924 210.14.199.234.4110 > 445: S 318758155:31875815 +5(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) May 17 21:38:54.775616 216.219.104.135.1236 > 1434: udp 376 May 17 21:51:00.660588 63.203.70.246.1028 > 137: udp 50 May 17 22:04:31.767281 218.187.142.250.1029 > 137: udp 50

Replies are listed 'Best First'.
Re: tcpdump filter (sample use of Quantum::Superpositions)
by Juerd (Abbot) on May 19, 2003 at 13:37 UTC

    @foo = qw[ 137 # NETBIOS Name Service 139 # NETBIOS Session Service 445 # Win2k+ Server Message Block 1434 # SQL Slammer / Sapphire worm ]; print join ':', @foo; print "\n";
    137:#:NETBIOS:Name:Service:139:#:NETBIOS:Session:Service:445:#:Win2k+: +Server:Message:Block:1434:#:SQL:Slammer:/:Sapphire:worm

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: CUFP [id://259141]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (3)
As of 2024-03-28 17:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found