OnionT@KillBoy
137,202字数 707阅读2分21秒阅读模式
AI智能摘要
红蓝演练中,如何实时捕捉红队攻击痕迹?本文揭秘一套基于IPS日志的自动化监控脚本,通过识别特定IP、URL特征和攻击行为(如SQL注入、Struts2漏洞利用、XSS攻击),实现对红队行动的即时告警。代码实战演示了日志解析、攻击特征匹配与声音提醒机制,适用于网络安全演练中的威胁感知环节,帮助蓝队快速响应真实攻击流量。
— AI 生成的文章内容摘要
#!coding:utf-8 from socket import * import pygame,re tmpSip = '' tmpDip = '' tmpEventName = '' URL1 = '/user/loginid/?id=3' URL2 = '/user/loginid/?id=-' URL3 = '/login.action?' #红队struts2特征 URLxss = '' #!红队IP Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254'] #接收IPS告警 revlog = socket(AF_INET,SOCK_DGRAM) addr = ('172.16.26.120',514) revlog.bind(addr) while True: receive_data = revlog.recvfrom(204800) date = receive_data[0]#decode('gbk')# 存储接收的数据 addr = receive_data[1] Dev_ip = addr[0] port = addr[1] try: #监测红队IP SrcIP = str(re.findall("SrcIP=+(d+S+)",date)[0]) DstIP = str(re.findall("DstIP=+(d+S+)",date)[0]) EventName = str(re.findall("EventName=+(S+)",date)[0])#.decode('gbk').encode('utf-8') SecurityType = str(re.findall("SecurityType=+(S+)",date)[0])#.decode('gbk').encode('utf-8') ProtocolType = str(re.findall("ProtocolType=+(S+)",date)[0])#.decode('gbk').encode('utf-8') Action = str(re.findall("Action=+(w+)",date)[0]) except: pass print "=",#日志接收状态 #!去重 if tmpSip == SrcIP: if tmpDip == DstIP: if tmpEventName == EventName: continue #!告警 if SrcIP in Sip: tmpSip = SrcIP tmpDip = DstIP tmpEventName = EventName pygame.mixer.init() track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav") pygame.mixer.music.play() print "针对IP的监测"*3 #调试 print "+++++ This is IPS +++++n" print "�33[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s�33[0mn"%(SrcIP,DstIP,EventName,SecurityType,Action) print "+++"*10 #!监测红队sqlinject、struts2、xss攻击 try: URLsql = str(re.findall("URL=+(S{1,19})",date)[0]) URLstr = str(re.findall("URL=+(S{1,14})",date)[0]) except: continue try: URLxss = str(re.findall("URL=+.*(alert(d+))",date)[0]) #URLxss1 = str(re.findall("URL=+(/w+.jsp?)",date)[0])#调试 except: pass #!告警 if URLsql == URL1: tmpSip = SrcIP tmpDip = DstIP tmpEventName = EventName pygame.mixer.init() track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav") pygame.mixer.music.play() #print "针对 SQLinject的监测"*3 #调试 print "+++++ This is IPS +++++n" print "�33[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s�33[0mn"%(SrcIP,DstIP,EventName,SecurityType,Action) print "+++"*10 if URLsql == URL2: tmpSip = SrcIP tmpDip = DstIP tmpEventName = EventName pygame.mixer.init() track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav") pygame.mixer.music.play() #print "针对 SQLinject的监测22222222222222"*3 #调试 print "+++++ This is IPS +++++n" print "�33[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s�33[0mn"%(SrcIP,DstIP,EventName,SecurityType,Action) print "+++"*10 #!监测红队struts2攻击并告警 if URLstr == URL3: tmpSip = SrcIP tmpDip = DstIP tmpEventName = EventName pygame.mixer.init() track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav") pygame.mixer.music.play() #print "针对 struts2的监测"*3 #调试 print "+++++ This is IPS +++++n" print "�33[1;31m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s�33[0mn"%(SrcIP,DstIP,EventName,SecurityType,Action) print "+++"*10 #!监测红队xss攻击并告警 if URLxss : if 'HTTP_XSS' in EventName: tmpSip = SrcIP tmpDip = DstIP tmpEventName = EventName pygame.mixer.init() track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav") pygame.mixer.music.play() #print "针对 xss的监测"*3 #调试 print "+++++ This is IPS +++++n" print "�33[1;33m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s�33[0mn"%(SrcIP,DstIP,EventName,SecurityType,Action) print "+++"*10
上海市 1F
这个脚本是用来监控红队攻击的?
江苏省苏州市 2F
代码看着还行,就是告警逻辑有点绕。
江苏省盐城市 3F
之前做演练也写过类似的,不过用的是syslog。
上海市 4F
struts2那个特征现在还常见吗?
韩国 5F
要是告警能发邮件就更实用了。
湖南省株洲市 6F
直接用pygame播报警声这操作挺骚的哈哈
印度 7F
IP列表写死了,实际用起来得动态更新吧?
浙江省 8F
只检测了GET参数?POST的SQL注入不管吗?🤔
广东省佛山市 9F
对新手挺友好的,可以照着改改直接用。
北京市 10F
告警去重的思路可以,但感觉会有漏报。
美国 11F
这个去重逻辑会不会漏掉连续攻击?
马来西亚 12F
要是能集成到SIEM里就更好了。
上海市静安区 13F
正则匹配URL那段容易误报吧?