#!/usr/bin/perl

# Get command line arguments
if(scalar(@ARGV) < 2){
	print("Usage: dnslog2csv.pl INFILE OUTFILE [-v]\n\n");
	print("Manditory:\n");
	print("\tINFILE\tWindows Server DNS log file\n");
	print("\tOUTFILE\tName of CSV file you wish to created\n\n");
	print("Optional:\n");
	print("-v\tVerbose\n\n");
	print('2009 Ryan Doyle - rd@ryandoyle.net'."\n");
	exit();
}
$infile = $ARGV[0];
$outfile = $ARGV[1];
$verbose = $ARGV[2];


# Exceptions that wont be matched
@exceptions = (
	"spamhaus",
	"surbl",
	"rfc-ignorant",
	"spamcop",
	"uribl",
	"abuseat",
);
# TLD's that we want to match
@tldmatches = (
	"com",
	"net",
	"edu",
);
# Open the file
open(DNSLOG, $infile) or die("Error: Cannot open file!");

# Generate the exceptions list string from the array
my $exceptionlist = "somejunkthatwontmatch";
for($i=0; $i<@exceptions; $i++){
	$exceptionlist = $exceptionlist."|".$exceptions[$i];
}

# Generate the TLD maches list string 
my $tldmatchlist = "somemorejunkthatwontmatch";
for($i=0; $i<@tldmatches; $i++){
	$tldmatchlist = $tldmatchlist."|".$tldmatches[$i];
}
# Array that will store the domain name, number of hits and whois 
# creation date
#my @domainarray = (["", "",""]);
my @domainarray;
# Now loop through the file
while($record = <DNSLOG>){

  #Match the stings that deal with name lookups
  if($record =~ m/Rcv.* D   NOERROR\] A /){
    # If we don't match our exceptions, continue to process
    if($record !~ m/($exceptionlist)/){
      
      # Continue to process. Now we need to convert them into
      # their dotted decimal representation. Replace the brackets
      # with dots
      $record =~ s/\((.|..)\)/\./g;
      # Now extract ONLY the domain part
      @splitted = split(/\s+/, $record);
      # Store the domain (still with the extra "."'s ). Always at a
      # offset of 14
      $thedomain = $splitted[14]."\n";
      $thedomain =  substr($thedomain, 1, length($thedomain) - 3) . "\n";
      # Now only work on the domains that match the TLD's
      if($thedomain =~ m/\.($tldmatchlist)$/){
        # We want to only grab the domain name, not the host name
        # so split the hostname by the dots and return only the last
        # two parts
        @splitteddomain = split(/\./, $thedomain);
        $thedomain = $splitteddomain[scalar(@splitteddomain) - 2].".".$splitteddomain[scalar(@splitteddomain) - 1];
        #Finally, remove the new line
        chomp($thedomain);
        #print $thedomain;
        # Search through the domain array. If the domain already exists,
        # then don't add it again. Instead increment the "hits" counter.
        $domainarraysize = scalar(@domainarray);
        BREAKHERE: for($i=0; $i<$domainarraysize; $i++){
          
          if($domainarray[$i][0] eq $thedomain){
            $domainarray[$i][1] = $domainarray[$i][1] + 1;
            $domainexists = 1;
            last BREAKHERE;
          }
        }
        if($domainexists != 1){
          @domainarray = (@domainarray, [$thedomain, 1, ""]);
          $domainexists = 0;
        }
        # Reset
        $domainexists = 0;
        
      }
    }
	
  }
}

# Close the file
close(DNSLOG);
# Open the CSV file
open(CSVOUT, ">$outfile");

# Print out the CSV file
for($i=0; $i<scalar(@domainarray); $i++){
	if($verbose){
		print "Domain $domainarray[$i][0] appears $domainarray[$i][1] times\n";
	}
	print CSVOUT $domainarray[$i][0].",".$domainarray[$i][1]."\n";
}