红蓝演练告警IPS告警_v2

2019年8月3日23:18:34 评论 606
#!coding:utf-8 from socket import * import pygame,re  tmpSip = '' tmpDip = '' tmpEventName = '' URL1 = '/user/loginid/?id=3' URL2 = '/user/loginid/?id=-' URL3 = '/login.action?' #红队struts2特征 URLxss = ''  #!红队IP Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254']  #接收IPS告警 revlog = socket(AF_INET,SOCK_DGRAM) addr = ('172.16.26.120',514) revlog.bind(addr) while True:     receive_data = revlog.recvfrom(204800)     date = receive_data[0]#decode('gbk')# 存储接收的数据     addr = receive_data[1]     Dev_ip = addr[0]     port = addr[1]          try:         #监测红队IP         SrcIP = str(re.findall("SrcIP=+(/d+/S+)",date)[0])         DstIP = str(re.findall("DstIP=+(/d+/S+)",date)[0])         EventName = str(re.findall("EventName=+(/S+)",date)[0])#.decode('gbk').encode('utf-8')         SecurityType = str(re.findall("SecurityType=+(/S+)",date)[0])#.decode('gbk').encode('utf-8')         ProtocolType = str(re.findall("ProtocolType=+(/S+)",date)[0])#.decode('gbk').encode('utf-8')         Action = str(re.findall("Action=+(/w+)",date)[0])     except:         pass      print "=",#日志接收状态      #!去重     if tmpSip == SrcIP:         if tmpDip == DstIP:             if tmpEventName == EventName:                 continue       #!告警     if SrcIP in Sip:         tmpSip = SrcIP         tmpDip = DstIP         tmpEventName = EventName         pygame.mixer.init()         track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")         pygame.mixer.music.play()         print "针对IP的监测"*3 #调试         print "+++++ This is IPS +++++/n"         print "/033[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s/033[0m/n"%(SrcIP,DstIP,EventName,SecurityType,Action)         print "+++"*10      #!监测红队sqlinject、struts2、xss攻击     try:         URLsql = str(re.findall("URL=+(/S{1,19})",date)[0])         URLstr = str(re.findall("URL=+(/S{1,14})",date)[0])              except:         continue     try:         URLxss = str(re.findall("URL=+.*(alert/(/d+/))",date)[0])         #URLxss1 = str(re.findall("URL=+(///w+.jsp/?)",date)[0])#调试     except:         pass      #!告警     if URLsql == URL1:         tmpSip = SrcIP         tmpDip = DstIP         tmpEventName = EventName         pygame.mixer.init()         track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")         pygame.mixer.music.play()         #print "针对 SQLinject的监测"*3 #调试         print "+++++ This is IPS +++++/n"         print "/033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s/033[0m/n"%(SrcIP,DstIP,EventName,SecurityType,Action)         print "+++"*10     if URLsql == URL2:         tmpSip = SrcIP         tmpDip = DstIP         tmpEventName = EventName         pygame.mixer.init()         track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")         pygame.mixer.music.play()         #print "针对 SQLinject的监测22222222222222"*3 #调试         print "+++++ This is IPS +++++/n"         print "/033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s/033[0m/n"%(SrcIP,DstIP,EventName,SecurityType,Action)         print "+++"*10          #!监测红队struts2攻击并告警     if URLstr == URL3:         tmpSip = SrcIP         tmpDip = DstIP         tmpEventName = EventName         pygame.mixer.init()         track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")         pygame.mixer.music.play()         #print "针对 struts2的监测"*3 #调试         print "+++++ This is IPS +++++/n"         print "/033[1;31m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s/033[0m/n"%(SrcIP,DstIP,EventName,SecurityType,Action)         print "+++"*10      #!监测红队xss攻击并告警     if URLxss :         if 'HTTP_XSS' in EventName:              tmpSip = SrcIP             tmpDip = DstIP             tmpEventName = EventName             pygame.mixer.init()             track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")             pygame.mixer.music.play()             #print "针对 xss的监测"*3 #调试             print "+++++ This is IPS +++++/n"             print "/033[1;33m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s/033[0m/n"%(SrcIP,DstIP,EventName,SecurityType,Action)             print "+++"*10

http://www.oniont.cn/index.php/archives/84.html

高性能云服务器2折起

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: