#!/usr/local/bin/wermit +
;
; c r s t a t s
;
; Reads given codered logfile (see codered script), collects counts by
; originating host, prints summary to screen.  
;
; F. da Cruz, Columbia University, August 2001.
; Requires C-Kermit 7.0 or later or K95 1.1.20 or later.
; Illustrates: file i/o, associative arrays, compact substring notation, sort.

if not def \%1 exit 1 Usage: \%0 logfilename   ; Check args

fopen /read \%c \%1                     ; Open log
if fail exit 1 \f_errmsg()              ; Check that we did
.\%n := 0                               ; Init record counter
while not \f_eof(\%c) {                 ; Loop to read each record
    fread /line \%c line                ; Read one record
    if fail break                       ; Check
    incr \%n                            ; Count
    .a := \s(line[19])                  ; Remove timestamp
    .\%x ::= \findex({"},\m(a)) - 1     ; Remove attack string
    .a := \ftrim(\s(a[1:\%x]))          ; Remove any surrounding whitespace
    .a := \fltrim(\m(a))
    _increment aa<\m(a)>                ; Count a hit from this host
}
fclose \%c                              ; Close log file

.\%k := \faaconvert(aa,&a,&b)           ; Convert to pair of regular arrays
.\%u := 0                               ; Local domain counter
array sort /reverse /numeric b a        ; Sort in descending order of hits
for \%i 1 \%k 1 {
    echo \frpad(\&a[\%i],60) \flpad(\&b[\%i],5)  ; Print host and count
    if match \&a[\%i] *128.59* increment \%u     ; Check if local domain
}
echo Hits:               \flpad(\%n,5)  ; Print summary
echo Unique hosts:       \flpad(\%k,5)
echo Unique local hosts: \flpad(\%u,5)
exit 0
