红蓝演练告警waf_v2

OnionT@KillBoy 渗透测试评论6,9431字数 3720阅读12分24秒阅读模式
#!coding:utf-8
from socket import *
import pygame,re,os

dirscan = []
dirscanku = open('dirscan.dict','r')
tmpSip = ''
tmpDip = ''
tmpevent_type = ''
tmpxss1 = ''#xss告警太多,去重
URL1 = '/user/loginid/?id=3'
URL2 = '/user/loginid/?id=-'

#!红队IP
Sip = ['210.72.243.18','114.242.71.226','114.242.71.227','114.242.71.228','114.242.71.229','114.242.71.230','114.242.71.231','114.242.71.232','114.242.71.233','114.242.71.234','114.242.71.235','114.242.71.236','114.242.71.237','114.242.71.238','114.242.71.239','114.242.71.240','114.242.71.241','114.242.71.242','114.242.71.243','114.242.71.244','114.242.71.245','114.242.71.246','114.242.71.247','114.242.71.248','114.242.71.249','114.242.71.250','114.242.71.251','114.242.71.252','114.242.71.253','114.242.71.254','1.50.104.62','14.135.74.35','203.93.167.161']


#读取dirscan特征
for line in dirscanku.readlines():
    line = line.strip('\n')
    dirscan.append(line)
    #print dirscan 调试


#接收WAF告警
revlog = socket(AF_INET,SOCK_DGRAM)
addr = ('172.16.26.120',515)
revlog.bind(addr)
while True:
    receive_data = revlog.recvfrom(204800)
    date = receive_data[0]#decode('gbk')# 存储接收的数据
    addr = receive_data[1]
    Dev_ip = addr[0]
    port = addr[1]

    #!匹配目标
    try:
        src_ip = str(re.findall("src_ip:+(\d+\S+)",date)[0])
        dst_ip = str(re.findall("dst_ip:+(\d+\S+)",date)[0])
        alertlevel = str(re.findall("alertlevel:+(\S+)",date)[0])
        event_type = str(re.findall("event_type:+(\S+)",date)[0])
        action = str(re.findall("action:+(\S+)",date)[0])
    except:
        pass
    print "=",#日志接收状态

    #!监测红队sql注入
    try:
        uri = str(re.findall("uri:+(\S{1,19})",date)[0])
    except:
        pass

    #监测红队dirscan特征
    try:
        dir1 = str(re.findall("uri:+(\S+)\%[0][A]",date)[0])
        method = str(re.findall("method:+(\S+)",date)[0])
    except:
        pass
    #监测红队xss特征
    try:
        URLxss = str(re.findall("uri:+.*(alert\(\d+\))",date)[0])
    except:
        pass

    #监测红队IP
    #!去重
    try:
        if tmpSip == src_ip:
            if tmpDip == dst_ip:
                if tmpevent_type == event_type:
                    continue
    except:
        pass

    try:
        #!告警
        if src_ip in Sip:
            tmpSip = src_ip
            tmpDip = dst_ip
            pygame.mixer.init()
            track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
            pygame.mixer.music.play()
            #print "==="*10
            print "===== This is WAF =====\n"
            print "\033[1;35m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s\033[0m\n"%(src_ip,dst_ip,event_type,alertlevel,action)
            print "==="*10
    except:
        pass

    #!sql注入告警
    try:
        #!告警
        if uri == URL1:
            tmpSip = src_ip
            tmpDip = dst_ip
            pygame.mixer.init()
            track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
            pygame.mixer.music.play()
            #print "==="*10
            print "===== This is WAF =====\n"
            print "\033[1;32m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s\033[0m\n"%(src_ip,dst_ip,event_type,alertlevel,action)
            print "==="*10
    except:
        pass

    try:
        #!告警
        if uri == URL2:
            tmpSip = src_ip
            tmpDip = dst_ip
            pygame.mixer.init()
            track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
            pygame.mixer.music.play()
            #print "==="*10
            print "===== This is WAF =====\n"
            print "\033[1;32m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s\033[0m\n"%(src_ip,dst_ip,event_type,alertlevel,action)
            print "==="*10
    except:
        pass

    #dirscan告警
    try:
        #!告警
        if dirscan.index(dir1):
            if 'GET' in method:
                print '××××××××针对dirscan的监测××××%s×××××'%method
                if 'HTTP_Protocol_Validation' in event_type:
                    tmpSip = src_ip
                    tmpDip = dst_ip
                    pygame.mixer.init()
                    track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
                    pygame.mixer.music.play()
                    #print "==="*10
                    print "===== This is WAF =====\n"
                    print "\33[1;36m检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s\033[0m\n"%(src_ip,dst_ip,event_type,alertlevel,action)
                    print "==="*10
    except:
        pass

    
    '''wafxss告警太多,暂时用IPS替代

    #xss告警
    try:
        #!告警
        if URLxss:
            if 'Cross_Site_Scripting' in event_type:
                print '××××××针对xss的告警×××××'
                tmpSip = src_ip
                tmpDip = dst_ip
                tmpxss1 = event_type
                pygame.mixer.init()
                track = pygame.mixer.music.load(r"/root/work/anquan/script/listing/hw/MP3/222.wav")
                pygame.mixer.music.play()
                #print "==="*10
                print "===== This is WAF =====\n"
                print "检测到红队攻击IP: %s 目标服务器IP:%s 安全事件:%s 危险等级:%s 动作:%s\n"%(src_ip,dst_ip,event_type,alertlevel,action)
                print "==="*10
    except:
        pass
    '''

免责声明:本站某些文章、信息、图片、软件等来源于互联网,由本网整理发表,希望传递更多信息和学习之目的,并不意味赞同起观点或证实其内容的真实性以及非法用途。 如设计、版权等问题,请立即联系管理员,我们会给予更改或删除相关文章,保证您的权利。
高性能云服务器2折起
 
OnionT@KillBoy
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: