红蓝演练告警waf_v2

2019年8月3日23:18:34 发表评论 浏览量:231次
#!coding:utf-8 from socket import * import pygame,re,os  dirscan = [] dirscanku = open('dirscan.dict','r') tmpSip = '' tmpDip = '' tmpevent_type = '' tmpxss1 = ''#xss告警太多,去重 URL1 = '/user/loginid/?id=3' URL2 = '/user/loginid/?id=-'  #!红队IP Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254','1.50.104.62','14.135.74.35','203.93.167.161']   #读取dirscan特征 for line in dirscanku.readlines():     line = line.strip('/n')     dirscan.append(line)     #print dirscan 调试   #接收WAF告警 revlog = socket(AF_INET,SOCK_DGRAM) addr = ('172.16.26.120',515) revlog.bind(addr) while True:     receive_data = revlog.recvfrom(204800)     date = receive_data[0]#decode('gbk')# 存储接收的数据     addr = receive_data[1]     Dev_ip = addr[0]     port = addr[1]      #!匹配目标     try:         src_ip = str(re.findall("src_ip:+(/d+/S+)",date)[0])         dst_ip = str(re.findall("dst_ip:+(/d+/S+)",date)[0])         alertlevel = str(re.findall("alertlevel:+(/S+)",date)[0])         event_type = str(re.findall("event_type:+(/S+)",date)[0])         action = str(re.findall("action:+(/S+)",date)[0])     except:         pass     print "=",#日志接收状态      #!监测红队sql注入     try:         uri = str(re.findall("uri:+(/S{1,19})",date)[0])     except:         pass      #监测红队dirscan特征     try:         dir1 = str(re.findall("uri:+(/S+)/%[0][A]",date)[0])         method = str(re.findall("method:+(/S+)",date)[0])     except:         pass     #监测红队xss特征     try:         URLxss = str(re.findall("uri:+.*(alert/(/d+/))",date)[0])     except:         pass      #监测红队IP     #!去重     try:         if tmpSip == src_ip:             if tmpDip == dst_ip:                 if tmpevent_type == event_type:                     continue     except:         pass      try:         #!告警         if src_ip in Sip:             tmpSip = src_ip             tmpDip = dst_ip             pygame.mixer.init()             track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")             pygame.mixer.music.play()             #print "==="*10             print "===== This is WAF =====/n"             print "/033[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s/033[0m/n"%(src_ip,dst_ip,event_type,alertlevel,action)             print "==="*10     except:         pass      #!sql注入告警     try:         #!告警         if uri == URL1:             tmpSip = src_ip             tmpDip = dst_ip             pygame.mixer.init()             track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")             pygame.mixer.music.play()             #print "==="*10             print "===== This is WAF =====/n"             print "/033[1;32m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s/033[0m/n"%(src_ip,dst_ip,event_type,alertlevel,action)             print "==="*10     except:         pass      try:         #!告警         if uri == URL2:             tmpSip = src_ip             tmpDip = dst_ip             pygame.mixer.init()             track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")             pygame.mixer.music.play()             #print "==="*10             print "===== This is WAF =====/n"             print "/033[1;32m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s/033[0m/n"%(src_ip,dst_ip,event_type,alertlevel,action)             print "==="*10     except:         pass      #dirscan告警     try:         #!告警         if dirscan.index(dir1):             if 'GET' in method:                 print '××××××××针对dirscan的监测××××%s×××××'%method                 if 'HTTP_Protocol_Validation' in event_type:                     tmpSip = src_ip                     tmpDip = dst_ip                     pygame.mixer.init()                     track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")                     pygame.mixer.music.play()                     #print "==="*10                     print "===== This is WAF =====/n"                     print "/33[1;36m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s/033[0m/n"%(src_ip,dst_ip,event_type,alertlevel,action)                     print "==="*10     except:         pass           '''wafxss告警太多,暂时用IPS替代      #xss告警     try:         #!告警         if URLxss:             if 'Cross_Site_Scripting' in event_type:                 print '××××××针对xss的告警×××××'                 tmpSip = src_ip                 tmpDip = dst_ip                 tmpxss1 = event_type                 pygame.mixer.init()                 track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")                 pygame.mixer.music.play()                 #print "==="*10                 print "===== This is WAF =====/n"                 print "检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s/n"%(src_ip,dst_ip,event_type,alertlevel,action)                 print "==="*10     except:         pass     '''

http://www.oniont.cn/index.php/archives/83.html

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: