红蓝演练告警IPS告警_v2

2019年8月3日23:18:34 评论 2,415
#!coding:utf-8
from socket import *
import pygame,re

tmpSip = ''
tmpDip = ''
tmpEventName = ''
URL1 = '/user/loginid/?id=3'
URL2 = '/user/loginid/?id=-'
URL3 = '/login.action?' #红队struts2特征
URLxss = ''

#!红队IP
Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254']

#接收IPS告警
revlog = socket(AF_INET,SOCK_DGRAM)
addr = ('172.16.26.120',514)
revlog.bind(addr)
while True:
    receive_data = revlog.recvfrom(204800)
    date = receive_data[0]#decode('gbk')# 存储接收的数据
    addr = receive_data[1]
    Dev_ip = addr[0]
    port = addr[1]
    
    try:
        #监测红队IP
        SrcIP = str(re.findall("SrcIP=+(\d+\S+)",date)[0])
        DstIP = str(re.findall("DstIP=+(\d+\S+)",date)[0])
        EventName = str(re.findall("EventName=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
        SecurityType = str(re.findall("SecurityType=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
        ProtocolType = str(re.findall("ProtocolType=+(\S+)",date)[0])#.decode('gbk').encode('utf-8')
        Action = str(re.findall("Action=+(\w+)",date)[0])
    except:
        pass

    print "=",#日志接收状态

    #!去重
    if tmpSip == SrcIP:
        if tmpDip == DstIP:
            if tmpEventName == EventName:
                continue


    #!告警
    if SrcIP in Sip:
        tmpSip = SrcIP
        tmpDip = DstIP
        tmpEventName = EventName
        pygame.mixer.init()
        track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
        pygame.mixer.music.play()
        print "针对IP的监测"*3 #调试
        print "+++++ This is IPS +++++\n"
        print "\033[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
        print "+++"*10

    #!监测红队sqlinject、struts2、xss攻击
    try:
        URLsql = str(re.findall("URL=+(\S{1,19})",date)[0])
        URLstr = str(re.findall("URL=+(\S{1,14})",date)[0])
        
    except:
        continue
    try:
        URLxss = str(re.findall("URL=+.*(alert\(\d+\))",date)[0])
        #URLxss1 = str(re.findall("URL=+(\/\w+.jsp\?)",date)[0])#调试
    except:
        pass

    #!告警
    if URLsql == URL1:
        tmpSip = SrcIP
        tmpDip = DstIP
        tmpEventName = EventName
        pygame.mixer.init()
        track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
        pygame.mixer.music.play()
        #print "针对 SQLinject的监测"*3 #调试
        print "+++++ This is IPS +++++\n"
        print "\033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
        print "+++"*10
    if URLsql == URL2:
        tmpSip = SrcIP
        tmpDip = DstIP
        tmpEventName = EventName
        pygame.mixer.init()
        track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
        pygame.mixer.music.play()
        #print "针对 SQLinject的监测22222222222222"*3 #调试
        print "+++++ This is IPS +++++\n"
        print "\033[1;32m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
        print "+++"*10
    
    #!监测红队struts2攻击并告警
    if URLstr == URL3:
        tmpSip = SrcIP
        tmpDip = DstIP
        tmpEventName = EventName
        pygame.mixer.init()
        track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
        pygame.mixer.music.play()
        #print "针对 struts2的监测"*3 #调试
        print "+++++ This is IPS +++++\n"
        print "\033[1;31m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
        print "+++"*10

    #!监测红队xss攻击并告警
    if URLxss :
        if 'HTTP_XSS' in EventName: 
            tmpSip = SrcIP
            tmpDip = DstIP
            tmpEventName = EventName
            pygame.mixer.init()
            track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
            pygame.mixer.music.play()
            #print "针对 xss的监测"*3 #调试
            print "+++++ This is IPS +++++\n"
            print "\033[1;33m检测到红队攻击IP %s 目标服务器IP:%s 安全事件:%s 类型:%s 动作:%s\033[0m\n"%(SrcIP,DstIP,EventName,SecurityType,Action)
            print "+++"*10
高性能云服务器2折起

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: