If we find any matches, we display a message such as "FOUND: 184.108.40.206 3982 time(s)".
Say you have a list of known to be hostile IP address that starts like this:
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
The script will run through the second while loop once for each of these addresses looking to see if any match the addresses we have collected in our hash.
You could do the same thing with grep, of course, but you would be grepping through your millions of records as many times as you have addresses in your hostile systems list and this could take many hours. I find this method of using a Perl hash to count occurrences and running through the firewall log only once to be much easier and considerably faster.
Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.
flickr / ARendle