背景:我正在使用一个Perl脚本,该脚本将滥用情况报告提交给abuseipdb.com。该脚本只有一个默认类别(14端口扫描),但是我想为滥用报告提交正确的类别。提交类别由数字完成。可能有多个类别,并用逗号“,”分隔。
类别列表:https : //www.abuseipdb.com/categories
脚本的来源:https : //www.abuseipdb.com/csf,大约向下滚动一半即可找到“ abuseipdb_report.pl”。
我已经修改了脚本,以扫描日志文件中的关键字,如果找到,请提供正确的类别编号。(缺点:这种方式只能使用1个类别编号。)
它正在工作,但远非完美。所有这些if和elsif语句将花费大量处理时间。
这是我煮的片段。(正在工作!)
my $cat = '14';
my $logs = $ARGV[6];
if ($logs =~ m/DOS-PROTECTION/) {$cat = '4';}
elsif ($logs =~ m/PROTOCOL-ENFORCEMENT/){$cat = '15';}
elsif ($logs =~ m/PROTOCOL-ATTACK/) {$cat = '15';}
elsif ($logs =~ m/DATA-LEAKAGES/) {$cat = '16';}
elsif ($logs =~ m/IP-REPUTATION/) {$cat = '19';}
elsif ($logs =~ m/SCANNER-DETECTION/) {$cat = '19';}
elsif ($logs =~ m/APPLICATION-ATTACK/) {$cat = '21';}
elsif ($logs =~ m/METHOD-ENFORCEMENT/) {$cat = '23';}
my $data = {
ip => $ARGV[0],
comment => $comment,
categories => $cat
};
我已经尝试过数组和foreach循环,但是我是Perl的新手,无法正常工作。因此,我坚持使用if elsif代码。
所以,现在您有了一个想法,我正在努力实现。
有没有更聪明,更快捷的方法,可能包括多个类别?
$ logs示例:
2020/08/07 06:25:11 [error] 16769#0: *40996 [client 174.xxx.xxx.185] ModSecurity: Access denied with code 406 (phase 2). Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.bak/' ) [file "/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".bak"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "46.xxx.xxx.137"] [uri "/wp-config.php.bak"] [unique_id "159678151143.002383"] [ref "o13,4o14,3v5,17o35,5t:urlDecodeUni,t:lower
case"], client: 174.xxx.xxx.185, server: <removed>, request: "GET /wp-config.php.bak HTTP/1.1", host: "<removed>", referrer: "http://<removed>/"
第二个$ logs示例:
2020/08/07 06:52:14 [error] 16769#0: *42613 [client 195.xxx.xxx.89] ModSecurity: Access denied with code 406 (phase 2). Matched "Operator `Rx' with parameter `(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `REQUEST_URI_RAW' (Value: `/forum/../forum/index.php' ) [file "/etc/modsecurity.d/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "29"] [id "930100"] [rev ""] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /forum/../forum/index.php"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "46.xxx.xxx.137"] [uri "/forum/../forum/index.php"] [unique_id "15967831
3492.204063"] [ref "o6,4v4,25"], client: 195.xxx.xxx.89, server: <removed>, request: "GET /forum/../forum/index.php HTTP/1.1", host: "<removed>"
现在,我正在匹配来自modsecurity的.conf文件。但我最好检查一下“标记”注释。
解决方案
借助此处给出的答案,我得到了适合我的解决方案。剩下要做的就是微调阵列。
my $logs = "attack-protocol attack-reputation-scanner attack PROTOCOL-ENFORCEMENT ";
my %categories = (
'DOS-PROTECTION' => 4,
'PROTOCOL-ENFORCEMENT' => 15,
'PROTOCOL-ATTACK' => 15,
'DATA-LEAKAGES' => 16,
'IP-REPUTATION' => 19,
'SCANNER-DETECTION' => 19,
'APPLICATION-ATTACK' => 21,
'METHOD-ENFORCEMENT' => 23,
'attack-lfi' => 10,
'attack-protocol' => 11,
'attack-reputation-scanner' => 12,
'attack' => 15,
);
my @cats = ();
for (keys %categories) {
if ($logs =~ /$_/) {
push @cats, $categories{$_};
}
}
my %hash = map { $_ => 1 } @cats;
@cats = keys %hash;
print categories => join ',', @cats,;
一个明显的改进是将类别存储在数组中。这样,您可以提交多个类别:
my @cats = (14);
my $logs = $ARGV[6];
if ($logs =~ m/DOS-PROTECTION/) { push @cats, 4;}
elsif ($logs =~ m/PROTOCOL-ENFORCEMENT/) { push @cats, 15;}
# etc...
my $data = {
ip => $ARGV[0],
comment => $comment,
categories => join ',', @cats,
};
我还将考虑一种数据驱动的方法,其中您要匹配的字符串与关联的类别一起存储在哈希中。
my %categories = (
'DOS-PROTECTION' => 4,
'PROTOCOL-ENFORCEMENT' => 15,
# etc...
);
然后可以使用循环进行检查:
my @cats = (14);
my $logs = $ARGV[6];
for (keys %categories) {
if ($logs =~ /$_/) {
push @cats, $categories{$_};
}
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句