[SOLVED] perl: turn ip address to hostname : it works, kind of.

////// · 02-06-2021, 10:14 AM

hello all.

i am writing script that parses suricata alerts.
i want to turn ip addresses to hostnames.

here is the code :

Code:

#!/usr/bin/perl
use warnings;
use strict;
use Socket;

use vars qw( @alerts @ipnumbers $gethostname $hostname $ip_to_host $ip );

@alerts = ( '8.8.8.8:666',
	    '8.8.8.8:80',
	    '8.8.4.4:333',
	    '11.11.11.11:222',
	    '22.22.22.22:999',
	    '0.0.0.0:443',
	    '1.1.1.1:443',
	    '2.2.2.2:7777'
           );


foreach $ip (@alerts) {
	#print "$ip\n";

	if ($ip =~ /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\:[0-9]{1,7}/) {
		#print "$1\n";
	
		push(@ipnumbers, ($1));
	}
}

foreach $ip (@ipnumbers) {
	gethostname($ip);
}

sub gethostname {
	
$ip_to_host = $_[0];

if ($ip_to_host =~ /^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$/) {
		
	#print "$ip_to_host\n";
	$hostname = gethostbyaddr(inet_aton($ip_to_host), AF_INET)
	or die "Can't resolve $ip_to_host $!\n";
	print "$hostname\n";
		
	} else {
		print "blah\n";		
	}
}

the problem with it is that if it fails to turn ip to hostname it exits. i suspect that that die needs to be changed to something else so that function can carry on turning ip's to hostnames. but my skill atm aren't enough.

Code:

[root@arch Downloads]# perl /home/vile/Documents/lq.pl
dns.google
dns.google
dns.google
Can't resolve 11.11.11.11
[root@arch Documents]#

it exits after "Can't resolve 11.11.11.11".

i would like to continue to the end of ip address list.

Code:

@alerts = ( '8.8.8.8:666',
	    '8.8.8.8:80',
	    '8.8.4.4:333',
	    '11.11.11.11:222',
	    '22.22.22.22:999',
	    '0.0.0.0:443',
	    '1.1.1.1:443',
	    '2.2.2.2:7777'
           );

boughtonp · 02-06-2021, 11:53 AM

Yes, you're asking it to stop with the "or die". As per line one of the die documentation: "die raises an exception" - exceptions cause scripts to stop (unless the exceptions are specifically handled).

The above doc also mentions a warn which appears to print to stderr and continue, so that's probably what you want, but if not then you can probably manually print to stderr yourself.

Another option might be a standard if statement, i.e: "if ( $hostname = gethostbyaddr(...) ) { success-actions } else { failure-actions }"

////// · 02-06-2021, 11:56 AM

Code:

"if ( $hostname = gethostbyaddr(...) ) { success-actions } else { failure-actions }"

ill have to try it, thanks for the idea.

////// · 02-06-2021, 12:57 PM

got it to work.

Code:

sub gethostname {
	
$ip_to_host = $_[0];

if ($ip_to_host =~ m/(^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)/) {
	sleep 1;
	
	if ( $hostname = gethostbyaddr(inet_aton($ip_to_host), AF_INET )) {
		print "$hostname\n";
		
		} else {
			
			print "Can't resolve $ip_to_host\n";	
		} 
	}
}
	
if ($ip_to_host =~ m// ) {
	die "No more ips to hosts.\n";
}

^that does it

is that "die" needed or at correct line?

Code:

#!/usr/bin/perl
use warnings;
use strict;
use Socket;

use vars qw( @alerts @ipnumbers $gethostname $hostname $ip_to_host $ip );

@alerts = ( '8.8.8.8:666',
			'8.8.8.8:80',
			'8.8.4.4:333',
			'11.11.11.11:222',
			'22.22.22.22:999',
			'0.0.0.0:443',
			'1.1.1.1:443',
			'2.2.2.2:7777'
			);


foreach $ip (@alerts) {
	#print "$ip\n";

	if ($ip =~ /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\:[0-9]{1,7}/) {
		#print "$1\n";
	
		push(@ipnumbers, ($1));
	}
}

foreach $ip (@ipnumbers) {
	gethostname($ip);
}

sub gethostname {
	
$ip_to_host = $_[0];

if ($ip_to_host =~ m/(^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)/) {
	sleep 1;
	
	if ( $hostname = gethostbyaddr(inet_aton($ip_to_host), AF_INET )) {
		print "$hostname\n";
		
		} else {
			
			print "Can't resolve $ip_to_host\n";	
		} 
	}
}
	
if ($ip_to_host =~ m// ) {
	die "No more ips to hosts.\n";
}

thanks again for the idea.

rnturn · 02-12-2021, 12:19 AM

Quote:

Originally Posted by //////

hello all.

i am writing script that parses suricata alerts.
i want to turn ip addresses to hostnames.

here is the code :

Code:

#!/usr/bin/perl
use warnings;
use strict;
use Socket;

use vars qw( @alerts @ipnumbers $gethostname $hostname $ip_to_host $ip );

@alerts = ( '8.8.8.8:666',
	    '8.8.8.8:80',
	    '8.8.4.4:333',
	    '11.11.11.11:222',
	    '22.22.22.22:999',
	    '0.0.0.0:443',
	    '1.1.1.1:443',
	    '2.2.2.2:7777'
           );


foreach $ip (@alerts) {
	#print "$ip\n";

	if ($ip =~ /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\:[0-9]{1,7}/) {
		#print "$1\n";
	
		push(@ipnumbers, ($1));
	}
}

foreach $ip (@ipnumbers) {
	gethostname($ip);
}

sub gethostname {
	
$ip_to_host = $_[0];

if ($ip_to_host =~ /^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$/) {
		
	#print "$ip_to_host\n";
	$hostname = gethostbyaddr(inet_aton($ip_to_host), AF_INET)
	or die "Can't resolve $ip_to_host $!\n";
	print "$hostname\n";
		
	} else {
		print "blah\n";		
	}
}

Sounds like you may have something that's working now but I wanted to ask:

Why use that regex to validate the IP address string twice? @ipnumbers should have an IP address already; unless I'm missing something, there's no need to re-validate in gethostname().
Couldn't you have created the IP address list by simply splitting the elements of @alerts on the ":", validating the first part, before pushing it onto @ipnumbers? Unless getgostbyaddr() demands it (and I can't recall ever having used it), you shouldn't need the port number. (At least that's an avenue that leapt out at me. But as Larry Wall supposedly once said "There's more than one way to do it." )

Kudos for helping to keep Perl alive.

Cheers...

////// · 02-12-2021, 10:43 AM

hello.

its complicated, my english isn't good enough to explain it to you.
this is the output of it ...

Code:

root@arch Dropbox]# perl /usr/local/bin/sur.pl
ET JA3 Hash - <alert number one>  => 3 IP-address.
	Can't resolve => 20.54.26.129
	Can't resolve => 51.104.139.180
	Can't resolve => 51.11.168.160
ET JA3 Hash - <alert number two>  => 5 IP-address.
	1drv.ms => 13.107.42.12
	Can't resolve => 13.77.112.132
	Can't resolve => 138.91.136.108
	Can't resolve => 20.150.36.228
	Can't resolve => 52.109.88.174
ET POLICY <alert number three>  => 1 IP-address.
	resolver1.opendns.com => 208.67.222.222
	No more ips to hosts.

... it doesn't work when using "strict".
it does what i want it to do though, next thing to do is fix it so i can use "strict".

Code:

#!/usr/bin/perl
use warnings;
#use strict;
use Socket;

use vars qw( @alerts @ipnumbers %ipaddres $ipaddres $gethostname $hostname $alert $ip_to_host  $ip );

open(IN, "<", "/var/log/suricata/fast.log") or die "$!\n";

while (<IN>) {

chomp;

if ($_ =~ /(\[\*\*\]\s[\[0-9\:0-9\:0-9\]]+)(.*)(\[\*\*\])(.*)(\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):\d{1,5}\b)/xi) {

	$alert 	= $2;
	$ipaddres = $5;
	
	#print "$5\n";

	next if $$alert{$ipaddres}++; # errs on strict.
	push(@{$ipaddres{$alert}}, $ipaddres);

	}
}

foreach $alert (sort keys %ipaddres) {

	print "$alert => ", scalar( @{$ipaddres{$alert}} ), " IP-address.\n";
	foreach $ipaddres (sort @{$ipaddres{$alert}}) {
		
		if ($ipaddres =~ m/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(\:[0-9]{1,7})$/) {
			gethostname("$1");

		}
		
	}
}
close(IN);

sub gethostname {
	
$ip_to_host = $_[0];

if ($ip_to_host =~ m/(^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$)/) {
	
	if ( $hostname = gethostbyaddr(inet_aton($ip_to_host), AF_INET )) {
		print "	$hostname => $ip_to_host\n";
		
		} else {
			
			print "	Can't resolve => $ip_to_host\n";	
		} 
	}
}
	
if ($ip_to_host =~ m// ) {
	die "	No more ips to hosts.\n";
}

thats the whole code. i'am just learning to code in perl, there might be some weird code

<- need to do that.

rnturn · 02-12-2021, 10:31 PM

Quote:

Originally Posted by //////

... it doesn't work when using "strict".
it does what i want it to do though, next thing to do is fix it so i can use "strict".

I thought that "strict" might be complaining about something in one of the modules you're using. But... I tried your code -- well, a subset of it, and that's not the problem. You appear to have some undeclared variables -- "$alert", "$$alert" (???), "$l", and maybe others -- that "strict" is probably complaining about. Either include them in the "use vars" statement or declare them with statements like "my ( $alert );".

Cheers...

////// · 02-13-2021, 04:17 AM

Quote:

Originally Posted by rnturn

I thought that "strict" might be complaining about something in one of the modules you're using. But... I tried your code -- well, a subset of it, and that's not the problem. You appear to have some undeclared variables -- "$alert", "$$alert" (???), "$l", and maybe others -- that "strict" is probably complaining about. Either include them in the "use vars" statement or declare them with statements like "my ( $alert );".

Cheers...

thanks to you.

i added %alert to vars and deleted $$alert from $$alert. it works now with 'use strict;'