OnionT@KillBoy
评论6,956字数 712阅读2分22秒阅读模式
#!coding:utf-8
from socket import *
import pygame,re
tmpSip = ''
tmpDip = ''
tmpEventName = ''
URL1 = '/user/loginid/?id=3'
URL2 = '/user/loginid/?id=-'
URL3 = '/login.action?' #红队struts2特征
URLxss = ''
#!红队IP
Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254']
#接收IPS告警
revlog = socket(AF_INET,SOCK_DGRAM)
addr = ('172.16.26.120',514)
revlog.bind(addr)
while True:
receive_data = revlog.recvfrom(204800)
date = receive_data[0]#decode('gbk')# 存储接收的数据
addr = receive_data[1]
Dev_ip = addr[0]
port = addr[1]
try:
#监测红队IP
SrcIP = str(re.findall("SrcIP=+(\d+\S+)",date)[0])
DstIP = str(re.findall("DstIP=+(\d+\S+)",date)[0])
EventName = str(re.findall("EventName=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
SecurityType = str(re.findall("SecurityType=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
ProtocolType = str(re.findall("ProtocolType=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
Action = str(re.findall("Action=+(\w+)",date)[0])
except:
pass
print "=",#日志接收状态
#!去重
if tmpSip == SrcIP:
if tmpDip == DstIP:
if tmpEventName == EventName:
continue
#!告警
if SrcIP in Sip:
tmpSip = SrcIP
tmpDip = DstIP
tmpEventName = EventName
pygame.mixer.init()
track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
pygame.mixer.music.play()
print "针对IP的监测"*3 #调试
print "+++++ This is IPS +++++\n"
print "\033[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
print "+++"*10
#!监测红队sqlinject、struts2、xss攻击
try:
URLsql = str(re.findall("URL=+(\S{1,19})",date)[0])
URLstr = str(re.findall("URL=+(\S{1,14})",date)[0])
except:
continue
try:
URLxss = str(re.findall("URL=+.*(alert\(\d+\))",date)[0])
#URLxss1 = str(re.findall("URL=+(\/\w+.jsp\?)",date)[0])#调试
except:
pass
#!告警
if URLsql == URL1:
tmpSip = SrcIP
tmpDip = DstIP
tmpEventName = EventName
pygame.mixer.init()
track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
pygame.mixer.music.play()
#print "针对 SQLinject的监测"*3 #调试
print "+++++ This is IPS +++++\n"
print "\033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
print "+++"*10
if URLsql == URL2:
tmpSip = SrcIP
tmpDip = DstIP
tmpEventName = EventName
pygame.mixer.init()
track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
pygame.mixer.music.play()
#print "针对 SQLinject的监测22222222222222"*3 #调试
print "+++++ This is IPS +++++\n"
print "\033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
print "+++"*10
#!监测红队struts2攻击并告警
if URLstr == URL3:
tmpSip = SrcIP
tmpDip = DstIP
tmpEventName = EventName
pygame.mixer.init()
track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
pygame.mixer.music.play()
#print "针对 struts2的监测"*3 #调试
print "+++++ This is IPS +++++\n"
print "\033[1;31m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
print "+++"*10
#!监测红队xss攻击并告警
if URLxss :
if 'HTTP_XSS' in EventName:
tmpSip = SrcIP
tmpDip = DstIP
tmpEventName = EventName
pygame.mixer.init()
track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
pygame.mixer.music.play()
#print "针对 xss的监测"*3 #调试
print "+++++ This is IPS +++++\n"
print "\033[1;33m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
print "+++"*10
