使用perl和散列数据结构从日志文件打印记录 [英] Print records from log file using perl and hash data structure
问题描述
#!/ usr /下面的脚本最初由@zdim编写,我修改了一下。 bin / perl
使用警告;
使用strict;
my $ file =/home/tsec/prototype/logs/extractedlogs/cowrieresult.log;
打开(LOG,$ file);
#汇编数据结构中所需输出的结果:
#%rept = {$ port => {$ usr => {$ status => $ freq}};
my%testhash; #new code
my%rept;
my($ ip,$ port);
while(my $ line =< LOG>)
{
if($ line =〜/ New connection /){
($ ip,$ port )= $ line =〜/新建连接:\s +([^:] +):( \d +)/;
#new code here
if($ ip){
$ testhash {$ ip} ++;
}
#end
next;
$ b $ my($ usr,$ status)= $ line =〜m / login\ attempt \s + \ [([^ \]] +)\] \s +(\ w +)/ x;
if($ usr and $ status){
$ rept {$ port} {$ usr} {$ status} ++;
}
else {warn以意想不到的格式行:\ $ $ line}
}
#close(LOG);
#open(LOG,$ file);
#my $ frequency = 0;
#while(my $ line =< LOG>){
#if($ line =〜/ login attempt /){
#split string,get the ip and匹配原始$ ip
#my($ testip)=(split / [\s,:\ [\] \ /] + /,$ line)[ - 6];
#print$ testip \\\
;
#这是来自登录尝试行的打印ips的两行。
#if($ testip =〜/ $ ip /){
#$ frequency ++;
#}
#elsif($ testip =〜/ ^(?!$ ip)/){
#停止频率计数器并启动另一个计数器?
#print$ frequency \\\
;
#$频率= 0;
#}
#}
#}
#print$ frequency \\\
;
#close(LOG);
#new code
printConnectionsOnIP\\\
;
foreach我的$ ip(sort keys%testhash){
print$ testhash {$ ip} \\\
;
}
打印\\\
;
#new code
printPort,Status,AttemptOnPort,AttemptsOnIP,Malicious \\\
;
foreach我的$ ip(sort keys%testhash){
foreach $ port $(sort keys%rept){
foreach $ usr(sort keys%{$ rept {$ port}} ){
foreach my $ stat(sort key%{$ rept {$ port} {$ usr}}){
if($ port ne){
print$ port, $统计,$ REPT {$端口} {$ USR} {$}统计,$ testhash {$ IP} \\\
;
}
}
}
}
}
#新密码
可以看出,除了最后一个变量(AttemptsOnIP)之外,我希望获得所需的输出,我希望AttemptsOnIP变量能够执行AttemptsOnPort在某种程度上具有一定的功能:
Port,Status,AttemptsOnPort,ConnectionsOnIP,恶意
pre>
15853,失败,4,18
15853,成功,4,18
18693,失败,1,18
18942,失败,1,18
18942,成功,1,18
31130,成功,1,18
43041,失败,1,18
43041,成功,1,18
46321,失败,1,18
46321,成功,1,18
47417,失败,3,18
47417,成功,3,18
48713,失败,1,18
48713,成功,1,18
53653,失败,1,18
53653,成功,1,18 $ b $ 60563,失败,1,18 $ b $ 60563,成功,1,18
我创建了一个名为testhash的散列并将它传递给ip变量以增加它。现在我想根据单行输出的IP增加这个散列变量。这是日志文件:
2016-05-02 10:20:56 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,14,183.3 .202.172]登录尝试[root /!@]失败
2016-05-02 10:20:57 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,15,183.3.202.172] login attempt [root /!@] failed
2016-05-02 10:20:57 + 0000 [在HoneyPotTransport上的SSHService ssh-userauth,14,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 10:20:58+ 0000 [SSHService在HoneyPotTransport上的ssh-userauth,15,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 10:43:32 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3 .202.172:55157(172.17.0.5:2222)[session:43283650]
2016-05-02 10:43:46 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection:183.3.202.172:10319( 172.17.0.5:2222)[session:c7702f86]
2016-05-02 10:43:53 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:46321(172.17.0.5:2222 )[session:fe7bb804]
2016-05-02 10:43:57 + 0000 [SSHService ssh-userauth on HoneyPotTransport,17,183.3.202.172] login attempt [root /!@] failed
2016-05-02 10:43:58 + 0000 [在HoneyPotTransport上使用SSHService ssh-userauth,17,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 10:43:59 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172 :18693(172.17.0.5:2222)[session:d74eae96]
2016-05-02 10:44:02 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,18,183.3.202.172] login attempt [root /!@]失败
2016-05-02 10:44:03 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:31130(172.17.0.5:2222)[session:3bde7820]
2016-05-02 10:44:03 + 0000 [SSHService ssh-userauth on HoneyPotTransport,18,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 10:44:05 + 0000 [cowrie .ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:47417(172.17.0.5:2222)[session:3e177c02]
2016-05-02 10:44:06 + 0000 [SSHService ssh-useraut H on HoneyPotTransport,19,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 10:44:09 + 0000 [SSHService ssh-userauth on HoneyPotTransport,19,183.3.202.172] login attempt [root / 123456]成功
2016-05-02 10:44:10 + 0000 [HoneyPotTransport,21,183.3.202.172上的SSHService ssh-userauth]登录尝试[root /!@]失败
2016-05-02 10 :44:11 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,21,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 10:44:13 + 20,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 10:44:14 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,20,183.3.202.172] login attempt [root / 123456] succeeded
2016-05-02 11:06:55 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:13849(172.17.0.5:2222)[session:b20915b6]
2016- 05-02 11:07:06 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:61338(172.17.0.5:2222)[session: cd38fe51]
2016-05-02 11:07:14 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:23048(172.17.0.5:2222)[session:01b12825]
2016-05-02 11:07:21 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:60563(172.17.0.5:2222)[session:ad64232b]
2016-05- 02 11:07:26 + 0000 [SSHService ssh-userauth在HoneyPotTransport,23,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11:07:27 + 0000 [SSHService ssh-userauth在HoneyPotTransport,23,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 11:07:33 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新连接:183.3.202.172:53653(172.17 .0.5:2222)[session:9c48415b]
2016-05-02 11:07:41 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,26,183.3.202.172] login attempt [root /!@] failed
2016-05-02 11:07:47 + 0000 [SSHService在HoneyPotTransport上的ssh-userauth,26,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 11:12:25 + 0000 [贝。 ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:18942(172.17.0.5:2222)[session:a4dc4901]
2016-05-02 11:12:34 + 0000 [SSHService ssh-userauth on HoneyPotTransport, 27,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11:12:36 + 0000 [SSHService ssh-userauth on HoneyPotTransport,27,183.3.202.172]登录尝试[root / 123456]成功
2016-05-02 11:32:40 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:40091(172.17.0.5:2222)[session:aeb36234]
2016- 05-02 11:32:43 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:53505(172.17.0.5:2222)[session:9022c831]
2016-05-02 11: 32:48 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:15131(172.17.0.5:2222)[session:cf62fb9a]
2016-05-02 11:32:48 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接:183.3.202.172:15853(172.17.0.5:2222)[session:f2f6c254]
2016-05-02 11:32:50 + 0000 [SSHService ssh-usera在HoneyPotTransport上,28,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11:32:52 + 0000 [SSHService在HoneyPotTransport上的ssh-userauth,28,183.3.202.172]登录尝试[root / 123456]已成功
2016-05-02 11:32:55 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,29,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11 :32:55 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,30,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11:32:56 + 0000 [HoneySpotTransport上的SSHService ssh-userauth ,30,183.3.202.172]登录尝试[root / 123456]成功
[SSHService ssh-userauth在HoneyPotTransport上,31,183.3.202.172]登录尝试[root /!@]失败
2016-05-02 11:32:59 + 0000 [HoneyPotTransport上的SSHService ssh-userauth,31,183.3.202.172]登录尝试[root / 123456]成功
因此,前两行的输出应该如下所示:
端口,状态,AttemptsOnPort,C onnectionsOnIP,恶意的
15853,失败,4,(使用此端口的IP在日志中出现的次数总和,即使它使用其他端口)
15853,成功,4,18
解决方案此代码以下列格式打印报告。如果不需要,请删除
(IP)
字段。
Port,Status,AttemptOnPort,( IP),ConnectionsOnIP
为每个用户打印此行。但是,
ConnectionsOnIP
是所有 用户和端口的IP地址总数。该代码还单独打印单独的IP报告。查看关于相关问题的评论。use strict;
使用警告;
my $ file ='logfile.txt';
打开我的$ fh_in,'<',$ file;
#在数据结构中汇编所需输出的结果:
#%rept = {
#$ port => {
#$ ip => {
#$ usr => {
#$ status => $ freq
#},
#},
#},
#};
#辅助:%ip_tot = {$ ip => {$ status => $ freq}}
my(%rept,%ip_tot);
my($ ip,$ port);
while(my $ line =< $ fh_in>)
{
if($ line =〜/ New connection /){
($ ip,$端口)= $ line =〜/新建连接:\s +([^:] +):( \d +)/;
next;
elsif(!$ ip或!$ port){next}#第一行出现在新连接
my($ usr,$ status)= $ line =〜 m / login attempt \s + \ [([^ \]] +)\] \ s +(\ w +)/;
if($ usr and $ status){
$ rept {$ port} {$ ip} {$ usr} {$ status} ++;
$ ip_tot {$ ip} {$ status} ++;
}
else {warn以意外格式行:\ $ $ line}
}
print端口,状态,尝试端口, ,ConnectionsOnIP\\\
;
foreach我的$端口(排序键%rept){
foreach我的$ ip(排序键%{$ rept {$ port}}){
foreach我$ usr(排序键% $ rept {$ port} {$ ip}}){
foreach我的$ stat(排序键%{$ rept {$ port} {$ ip} {$ usr}}){
print$端口,$统计,$ REPT {$端口} {$ IP} {$ USR} {$ STAT};
print$,(ip),$ ip_tot {$ ip} {$ stat} \\\
;
}
}
}
}
打印\\\
;
打印IP,状态,发生次数;
foreach my $ ip(sort keys%ip_tot){
foreach my $ stat(sort keys%{$ ip_tot {$ ip}}){
print$ ip,$ stat,$ ip_tot {$ IP} {$ STAT} \\\
;
$ b $提供的输入为logfile.txt
此打印
端口,状态,尝试端口,(IP),ConnectionsOnIP
15853 ,失败4,(183.3.202.172),12 $ b 15853,成功,3,(183.3.202.172),11
18693,失败,1,(183.3.202.172),12
18942,失败,1,(183.3.202.172),12 $ b 18942,成功,1,(183.3.202.172),11 $ b 31130,成功,1,(183.3.202.172),11 $ b $ (183.3.202.172),12 $ b $ 46321,成功,1, $ b 47417,成功,3,(183.3.202.172),11
53653,失败,1,(183.3.202.172),12
53653,成功,1,(183.3.202.172),11 $ b $ 60563,失败,1,(183.3.202.172),12 $ b $ 60563,成功,1,(183.3.202.172),11
知识产权,地位,出现
183.3.202.172,失败,12
183.3.202.172,成功,11
正则表达式的解释。这是有效的代码,由
/ x
提供。\ s +
在评论中被忽略。my($ usr ,$ status = $ line =〜m /
login \ attempt \s +#literal,用作'post'来帮助匹配
\\ [[literal] [其中我们的模式是
(#开始捕获
[^ \]] +#任何不是]的字符,1次或多次
)#捕获结束
\] \ s +#关闭文字]
(\ w +)#下一次捕获:任何'单词'字符,1次或更多次
/ x;
它的核心是否定字符类,
[^ \]]
。它说:匹配任何一个字符([
))不是(^
)括号(\]
),它需要被转义(\
)来表示文字字符。它后面的+
意味着一次或多次次。例如
my $ str ='a5 _.-] B1';
if($ str =〜m /([^ \]] +)/){sayGot:$ 1}
打印
得到:a5 _.-
。直到第一个]
的所有内容都被匹配(并被捕获)。这是一种指定非贪婪匹配的方法,可以追溯到给定字符的第一个匹配项。请注意,像。+]
之类的内容会匹配上一次上一次]
,是贪婪。
请参阅正则表达式教程。针对特定问题搜索SO,以及迷你教程。
I have the following script, originally written by @zdim and I tweaked it a bit.
#!/usr/bin/perl use warnings; use strict; my $file = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log"; open (LOG, $file); # Assemble results for required output in data structure: # %rept = { $port => { $usr => { $status => $freq } }; my %testhash;#new code my %rept; my ($ip, $port); while (my $line = <LOG>) { if ($line =~ /New connection/) { ($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/; #new code here if($ip){ $testhash{$ip}++; } #end next; } my ($usr, $status) = $line =~ m/login\ attempt \s+ \[ ( [^\]]+ ) \] \s+ (\w+)/x; if ($usr and $status) { $rept{$port}{$usr}{$status}++; } else { warn "Line with an unexpected format:\n$line" } } #close(LOG); #open (LOG, $file); #my $frequency = 0; #while (my $line = <LOG>){ # if($line =~ /login attempt/){ #split string, get the ip and match it with original $ip # my ($testip) = (split /[\s,:\[\]\/]+/, $line)[-6]; #print "$testip\n"; #this two lines above print ips from login attempt line. # if($testip =~ /$ip/){ # $frequency++; # } #elsif($testip =~ /^(?!$ip)/) { # stop frequency counter and start another one? # print "$frequency\n"; # $frequency = 0; #} # } #} #print "$frequency\n"; #close(LOG); #new code print "ConnectionsOnIP\n"; foreach my $ip (sort keys %testhash){ print "$testhash{$ip}\n"; } print "\n"; #new code print "Port,Status,AttemptOnPort,AttemptsOnIP,Malicious\n"; foreach my $ip (sort keys %testhash){ foreach my $port (sort keys %rept) { foreach my $usr (sort keys %{$rept{$port}}) { foreach my $stat ( sort keys %{$rept{$port}{$usr}} ) { if($port ne ""){ print "$port,$stat,$rept{$port}{$usr}{$stat},$testhash{$ip}\n"; } } } } } #new code
As can be seen, I want to have the desired output which is working at the moment except for the last variable(AttemptsOnIP) I want the AttemptsOnIP variable to do what the AttemptsOnPort does to some extent:
Port,Status,AttemptsOnPort,ConnectionsOnIP,Malicious 15853,failed,4,18 15853,succeeded,4,18 18693,failed,1,18 18942,failed,1,18 18942,succeeded,1,18 31130,succeeded,1,18 43041,failed,1,18 43041,succeeded,1,18 46321,failed,1,18 46321,succeeded,1,18 47417,failed,3,18 47417,succeeded,3,18 48713,failed,1,18 48713,succeeded,1,18 53653,failed,1,18 53653,succeeded,1,18 60563,failed,1,18 60563,succeeded,1,18
I created a hash called testhash and passed it the ip variable to increment it. Now I want to increment this hashed variable depending on the IP of a single line of output. This is the logfile:
2016-05-02 10:20:56+0000 [SSHService ssh-userauth on HoneyPotTransport,14,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:20:57+0000 [SSHService ssh-userauth on HoneyPotTransport,15,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:20:57+0000 [SSHService ssh-userauth on HoneyPotTransport,14,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:20:58+0000 [SSHService ssh-userauth on HoneyPotTransport,15,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:43:32+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:55157 (172.17.0.5:2222) [session: 43283650] 2016-05-02 10:43:46+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:10319 (172.17.0.5:2222) [session: c7702f86] 2016-05-02 10:43:53+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:46321 (172.17.0.5:2222) [session: fe7bb804] 2016-05-02 10:43:57+0000 [SSHService ssh-userauth on HoneyPotTransport,17,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:43:58+0000 [SSHService ssh-userauth on HoneyPotTransport,17,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:43:59+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:18693 (172.17.0.5:2222) [session: d74eae96] 2016-05-02 10:44:02+0000 [SSHService ssh-userauth on HoneyPotTransport,18,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:44:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:31130 (172.17.0.5:2222) [session: 3bde7820] 2016-05-02 10:44:03+0000 [SSHService ssh-userauth on HoneyPotTransport,18,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:44:05+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:47417 (172.17.0.5:2222) [session: 3e177c02] 2016-05-02 10:44:06+0000 [SSHService ssh-userauth on HoneyPotTransport,19,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:44:09+0000 [SSHService ssh-userauth on HoneyPotTransport,19,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:44:10+0000 [SSHService ssh-userauth on HoneyPotTransport,21,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:44:11+0000 [SSHService ssh-userauth on HoneyPotTransport,21,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 10:44:13+0000 [SSHService ssh-userauth on HoneyPotTransport,20,183.3.202.172] login attempt [root/!@] failed 2016-05-02 10:44:14+0000 [SSHService ssh-userauth on HoneyPotTransport,20,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:06:55+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:13849 (172.17.0.5:2222) [session: b20915b6] 2016-05-02 11:07:06+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:61338 (172.17.0.5:2222) [session: cd38fe51] 2016-05-02 11:07:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:23048 (172.17.0.5:2222) [session: 01b12825] 2016-05-02 11:07:21+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:60563 (172.17.0.5:2222) [session: ad64232b] 2016-05-02 11:07:26+0000 [SSHService ssh-userauth on HoneyPotTransport,23,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:07:27+0000 [SSHService ssh-userauth on HoneyPotTransport,23,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:07:33+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:53653 (172.17.0.5:2222) [session: 9c48415b] 2016-05-02 11:07:41+0000 [SSHService ssh-userauth on HoneyPotTransport,26,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:07:47+0000 [SSHService ssh-userauth on HoneyPotTransport,26,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:12:25+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:18942 (172.17.0.5:2222) [session: a4dc4901] 2016-05-02 11:12:34+0000 [SSHService ssh-userauth on HoneyPotTransport,27,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:12:36+0000 [SSHService ssh-userauth on HoneyPotTransport,27,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:32:40+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:40091 (172.17.0.5:2222) [session: aeb36234] 2016-05-02 11:32:43+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:53505 (172.17.0.5:2222) [session: 9022c831] 2016-05-02 11:32:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:15131 (172.17.0.5:2222) [session: cf62fb9a] 2016-05-02 11:32:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:15853 (172.17.0.5:2222) [session: f2f6c254] 2016-05-02 11:32:50+0000 [SSHService ssh-userauth on HoneyPotTransport,28,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:32:52+0000 [SSHService ssh-userauth on HoneyPotTransport,28,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:32:55+0000 [SSHService ssh-userauth on HoneyPotTransport,29,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:32:55+0000 [SSHService ssh-userauth on HoneyPotTransport,30,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:32:56+0000 [SSHService ssh-userauth on HoneyPotTransport,30,183.3.202.172] login attempt [root/123456] succeeded 2016-05-02 11:32:57+0000 [SSHService ssh-userauth on HoneyPotTransport,31,183.3.202.172] login attempt [root/!@] failed 2016-05-02 11:32:59+0000 [SSHService ssh-userauth on HoneyPotTransport,31,183.3.202.172] login attempt [root/123456] succeeded
Therefore the output should be as follows for the first two lines
Port,Status,AttemptsOnPort,ConnectionsOnIP,Malicious 15853,failed,4,(total no of times the IP using this port is seen in log, even if it used other ports) 15853,succeeded,4,18
解决方案This code prints a report in the following format. Remove
(IP)
field if undesired.Port,Status,AttemptOnPort,(IP),ConnectionsOnIPSuch a line is printed for each user. However,
ConnectionsOnIP
is the total number of this IP being seen for all users and ports. The code also prints a separate report on IP's alone. See comments about related questions.use strict; use warnings; my $file = 'logfile.txt'; open my $fh_in, '<', $file; # Assemble results for required output in data structure: # %rept = { # $port => { # $ip => { # $usr => { # $status => $freq # }, # }, # }, # }; # Auxiliary: %ip_tot = { $ip => { $status => $freq } } my (%rept, %ip_tot); my ($ip, $port); while (my $line = <$fh_in>) { if ($line =~ /New connection/) { ($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/; next; } elsif (!$ip or !$port) { next } # First lines come before New connection my ($usr, $status) = $line =~ m/login attempt\s+\[([^\]]+)\]\s+(\w+)/; if ($usr and $status) { $rept{$port}{$ip}{$usr}{$status}++; $ip_tot{$ip}{$status}++; } else { warn "Line with an unexpected format:\n$line" } } print "Port,Status,AttemptOnPort,(IP),ConnectionsOnIP\n"; foreach my $port (sort keys %rept) { foreach my $ip (sort keys %{$rept{$port}}) { foreach my $usr (sort keys %{$rept{$port}{$ip}}) { foreach my $stat ( sort keys %{$rept{$port}{$ip}{$usr}} ) { print "$port,$stat,$rept{$port}{$ip}{$usr}{$stat}"; print "$,(ip),$ip_tot{$ip}{$stat}\n"; } } } } print "\n"; print "IP,Status,Occurences\n"; foreach my $ip (sort keys %ip_tot) { foreach my $stat ( sort keys %{$ip_tot{$ip}} ) { print "$ip,$stat,$ip_tot{$ip}{$stat}\n"; } }
With the supplied input as
logfile.txt
this printsPort,Status,AttemptOnPort,(IP),ConnectionsOnIP 15853,failed,4,(183.3.202.172),12 15853,succeeded,3,(183.3.202.172),11 18693,failed,1,(183.3.202.172),12 18942,failed,1,(183.3.202.172),12 18942,succeeded,1,(183.3.202.172),11 31130,succeeded,1,(183.3.202.172),11 46321,failed,1,(183.3.202.172),12 46321,succeeded,1,(183.3.202.172),11 47417,failed,3,(183.3.202.172),12 47417,succeeded,3,(183.3.202.172),11 53653,failed,1,(183.3.202.172),12 53653,succeeded,1,(183.3.202.172),11 60563,failed,1,(183.3.202.172),12 60563,succeeded,1,(183.3.202.172),11 IP,Status,Occurences 183.3.202.172,failed,12 183.3.202.172,succeeded,11
Regex explanation. This is valid code, courtesy of
/x
. The\s+
are ignored in comments.my ($usr, $status) = $line =~ m/ login\ attempt \s+ # literal, serves as a 'post' to help matching \[ # literal [ within which our pattern is ( # start capture [^\]]+ # any char which is not ], 1 or more times ) # end of capture \] \s+ # closing literal ] (\w+) # next capture: any 'word' char, 1 or more times /x;
In the heart of this is the negated character class,
[ ^\] ]
. It says: match any one character ([...]
) that is not (^
) a bracket (\]
), which needs to be escaped (\
) to mean the literal character. The+
behind it means one-or-more times. For examplemy $str = 'a5_".-]B1'; if ($str =~ m/([^\]]+)/) { say "Got: $1" }
This prints
Got: a5_".-
. Everything up to the first]
is matched (and captured). This is one way to specify a non-greedy match, going up to the first occurrence of the given character. Note that something like.+]
would match everything up to the last]
, it is greedy.See the Regular Expressions Tutorial. Search SO for specific questions, for mini-tutorials as well.
这篇关于使用perl和散列数据结构从日志文件打印记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!