#!/usr/bin/perl -w ############################################################################# ## This machine-generated file was created Tue Jul 9 14:02:29 2002. ## It was built from the following files: ## rpatwatch.p (dated Tue Jul 9 11:50:30 2002) ## ## Changes to this file will be lost when it is rebuilt ############################################################################# # # $Id: //pentools/main/rpat/rpatwatch.p#2 $ # # written by : Stephen J. Friedl # Software Consultant # Tustin, California USA # steve@unixwiz.net / www.unixwiz.net # # === This code is in the public domain === # # This ad-hoc program tails the Apache logfile and looks for the # particular entries that identify likely abusers via the anon # proxy. Once found, the IP address of interest is sent off to # the RPAT daemon for processing. # # This should be modified to fit local demands: it's unlikely that # your application will work like ours did. # use strict; use English; my $dest = "--dest=127.0.0.1:4321"; # where is the server? my $cmd = "tail -F /apache/logs/access_log|"; open(TAIL, $cmd) or die "ERROR: cannot open {$cmd}\n"; while ( ) { s/\s+$//; if ( m/^ \d+ # UNIX time \s+ \S+ # web host \s+ (\S+) # IP address \s+ (\S+) # \s+ (\S+) # \s+ \[[^]]+] # date and time \s+ "([^"]+)" # request \s+ (\S+) # result code \s+ (\S+) # number of bytes \s+ "[^"]+" # referrer \s+ "[^"]+" # user agent /x ) { my($ip, $p2, $auth, $request, $result, $count) = ( $1, $2, $3, $4, $5, $6 ); next unless $request =~ m/^HEAD/; next unless $result eq '401'; # "Unauthorized" next if $auth eq '-'; print "IP={$ip} auth={$auth} $request\n"; # debug system("./rpatc $dest work $ip"); } else { print "Cannot decode {$_}\n"; } } close TAIL; exit 0;