#!/usr/bin/perl -w
#
# (C) 2009, W. Dean Freeman //bsDaemon (Slashdot ID 83707)
# 
# It's nothing special, but it makes my life easier.  It's good for
# getting info out of logs of various network-related services such as
# ftp, mail or dom logs.  Also I find it fairly handy for parsing out netstat as well.
# 
# Any suggestions are welcome.

#I'm on a "let's not be [too] sloppy kick lately
use strict;

# This comes from CPAN, but still you need to separately fetch and install the dat file
use Geo::IP::PurePerl;

# Initialize our empty hash that does all the work
my %hosts;

# Take everything from standard input and grab all of the IP addresses out each line
# then store them in a hash where $key = IP and $value = the number of occurrances in the count
while (<>) {
	foreach(/(\d+\.\d+\.\d+.\d+)/g) {
		$hosts{$_}++;
	}
}

# The other way might be to pipe sort -n and then have it go bottom-heavy... this is fine though
# and it's probably best fed to head on the command line anyway
open (SORT, "|sort -rn");

# And now for the interesting parts...
foreach my $host (sort keys %hosts) {
	# create a new geoip object
	my $gi = Geo::IP::PurePerl->new(GEOIP_STANDARD);
	
	# find out where the I is from
	my $country = $gi->country_name_by_name($host);
	
	# you can't get a geoip lookup on 'localhost', so lets take care of that.
	if (!$country) {
		$country = "unkown";
	}
	
	# Apparnetly gethostbyaddr() likes pack()'d input.  Let's feed it what it wants.
	my @ip = split(/\./, $host);
	my $ip = pack("C4", @ip);
	# Not having to copy and paste the output of `cat $log |awk '{print $1}'|sort -r|uniq -c|sort -rn`
	# to find out of the IP was worth calling an attacker and kicking out is, quite frankly, the reason
	# I wrote this, so its the most important part (to me).
	my $hname = gethostbyaddr($ip,2);
	
	# Where `host` would give us NXDOMAIN or SERVFAIL, gethostbyaddr() prints a crappy message when -w
	# is on, so let us avoid that.
	if (!$hname) {
		$hname = "NXDOMAIN";
	}
	
	# print out our super awesome, formatted, sorted output
	printf SORT "$hosts{$host}\t%16s\t%50s\t$country\n", $host,$hname;
}
# Just to be tidy...
close SORT;

=head1 NAME
	
ipparse.pl

=head1 CONTACT

!spam-dean@14thanddock.com

=pod OSNAMES

Linux, BSD

=pod SCRIPT CATEGORIES

Networking, UNIX: System Administration

=cut