#!/usr/bin/perl

$debug = 10;
$fname = "/tmp/ipsimple.log";
$limit = 2;
$counter = 0;
$last_target = "";
@addr_pool = ();

if ($debug > 0) {
    open(FILE, "> $fname") || die "Can't open $fname: $!\n";
}

while(<>) {
    chop;

    printf("<%s>\n", $_) if ($debug > 2);
    #
    # Skip timestamp
    #
    if (/^[A-Z][a-z]+ [A-Z][a-z]+ \d+ /) {
        ##print "not matched\n";
        next;
    }

    #
    # Get the intruder's address
    #
    $target = "";
    @line = split();
    if ($line[2] =~ /^(\d+\.\d+\.\d+\.\d+)/) {
        $target = $1;
    }
    elsif ($line[3] =~ /^(\d+\.\d+\.\d+\.\d+)/) {
        $target = $1;
    }

    #
    # How many continuous attack?
    #
    if ($target eq $last_target) {
        if ($counter < $limit) {
            ##printf("%s: counter = %s\n", $target, $counter);
            $counter++;
            next;
        }

        # limit counter is exceeded
        # Check if the same address?
        #
        $where = -1;
        for($[ .. $#addr_pool) {
            $where = $_, last if ($addr_pool[$_] eq $target);
        }
        if ($target ne "" && $where == -1) {
            #
            # new intruder coming
            #
            $line = sprintf("/usr/local/sbin/ipsimple -I -a deny -S %s/32\n", $target);
            if ($debug > 0) {
                print FILE $line;
                print $line if ($debug > 1);
            }
            system($line);
            push(@addr_pool, $target);
            ##print @addr_pool, "\n";
        }
        $counter = 0;
    }
    else {
        # something jam or not serious attack,
        # then reset counter
        $counter = 1;
        $last_target = $target;
    }
}