使用perl和散列数据结构从日志文件打印记录 [英] Print records from log file using perl and hash data structure

查看：154 发布时间：2018/6/1 19:32:56 perl logging hash output

本文介绍了使用perl和散列数据结构从日志文件打印记录的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

 ＃！/ usr /下面的脚本最初由@zdim编写，我修改了一下。 bin / perl 
 
使用警告; 
使用strict; 
 
 my $ file =/home/tsec/prototype/logs/extractedlogs/cowrieresult.log; 
打开（LOG，$ file）; 
 
＃汇编数据结构中所需输出的结果：
＃％rept = {$ port => {$ usr => {$ status => $ freq}}; 
 
 my％testhash; #new code 
 my％rept; 
 my（$ ip，$ port）; 
 
 while（my $ line =< LOG>）
 {
 if（$ line =〜/ New connection /）{
（$ ip，$ port ）= $ line =〜/新建连接：\s +（[^：] +）:( \d +）/; 
 #new code here 
 if（$ ip）{
 $ testhash {$ ip} ++; 
} 
 #end 
 next; 
 
 $ b $ my（$ usr，$ status）= $ line =〜m / login\ attempt \s + \ [（[^ \]] +）\] \s +（\ w +）/ x; 
 if（$ usr and $ status）{
 $ rept {$ port} {$ usr} {$ status} ++; 
} 
 else {warn以意想不到的格式行：\ $ $ line} 
} 
 #close（LOG）; 
 #open（LOG，$ file）; 
 #my $ frequency = 0; 
 #while（my $ line =< LOG>）{
＃if（$ line =〜/ login attempt /）{
 
 #split string，get the ip and匹配原始$ ip 
＃my（$ testip）=（split / [\s，：\ [\] \ /] + /，$ line）[ -  6]; 
 #print$ testip \\\
; 
＃这是来自登录尝试行的打印ips的两行。 
＃if（$ testip =〜/ $ ip /）{
＃$ frequency ++; 
＃} 
 #elsif（$ testip =〜/ ^（？！$ ip）/）{
＃停止频率计数器并启动另一个计数器？ 
＃print$ frequency \\\
; 
＃$频率= 0; 
＃} 
 
＃} 
＃} 
 #print$ frequency \\\
; 
 #close（LOG）; 
 
 #new code 
 printConnectionsOnIP\\\
; 
 foreach我的$ ip（sort keys％testhash）{
 print$ testhash {$ ip} \\\
; 
} 
 
打印\\\
; 
 
 #new code 
 printPort，Status，AttemptOnPort，AttemptsOnIP，Malicious \\\
; 
 foreach我的$ ip（sort keys％testhash）{
 foreach $ port $（sort keys％rept）{
 foreach $ usr（sort keys％{$ rept {$ port}} ）{
 foreach my $ stat（sort key％{$ rept {$ port} {$ usr}}）{
 if（$ port ne）{
 print$ port， $统计，$ REPT {$端口} {$ USR} {$}统计，$ testhash {$ IP} \\\
; 
} 
} 
} 
 
} 
} 
＃新密码

可以看出，除了最后一个变量（AttemptsOnIP）之外，我希望获得所需的输出，我希望AttemptsOnIP变量能够执行AttemptsOnPort在某种程度上具有一定的功能：

  Port，Status，AttemptsOnPort，ConnectionsOnIP，恶意
 15853，失败，4,18 
 15853，成功，4,18 
 18693，失败，1,18 
 18942，失败，1,18 
 18942，成功，1,18 
 31130，成功，1,18 
 43041，失败，1,18 
 43041，成功，1,18 
 46321，失败，1,18 
 46321，成功，1,18 
 47417，失败，3,18 
 47417，成功，3,18 
 48713，失败，1,18 
 48713，成功，1,18 
 53653，失败，1,18 
 53653，成功，1,18 $ b $ 60563，失败，1,18 $ b $ 60563，成功，1,18 
  pre> 
 
 我创建了一个名为testhash的散列并将它传递给ip变量以增加它。现在我想根据单行输出的IP增加这个散列变量。这是日志文件：
  2016-05-02 10：20：56 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，14,183.3 .202.172]登录尝试[root /！@]失败
 2016-05-02 10：20：57 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，15,183.3.202.172] login attempt [root /！@] failed 
 2016-05-02 10：20：57 + 0000 [在HoneyPotTransport上的SSHService ssh-userauth，14,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 10：20：58+ 0000 [SSHService在HoneyPotTransport上的ssh-userauth，15,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 10：43：32 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3 .202.172：55157（172.17.0.5:2222）[session：43283650] 
 2016-05-02 10：43：46 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection：183.3.202.172:10319（ 172.17.0.5:2222）[session：c7702f86] 
 2016-05-02 10：43：53 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:46321（172.17.0.5:2222 ）[session：fe7bb804] 
 2016-05-02 10：43：57 + 0000 [SSHService ssh-userauth on HoneyPotTransport，17,183.3.202.172] login attempt [root /！@] failed 
 2016-05-02 10:43:58 + 0000 [在HoneyPotTransport上使用SSHService ssh-userauth，17,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 10：43：59 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172 ：18693（172.17.0.5:2222）[session：d74eae96] 
 2016-05-02 10：44：02 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，18,183.3.202.172] login attempt [root /！@]失败
 2016-05-02 10：44：03 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:31130（172.17.0.5:2222）[session：3bde7820] 
 2016-05-02 10：44：03 + 0000 [SSHService ssh-userauth on HoneyPotTransport，18,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 10：44：05 + 0000 [cowrie .ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:47417（172.17.0.5:2222）[session：3e177c02] 
 2016-05-02 10：44：06 + 0000 [SSHService ssh-useraut H on HoneyPotTransport，19,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 10：44：09 + 0000 [SSHService ssh-userauth on HoneyPotTransport，19,183.3.202.172] login attempt [root / 123456]成功
 2016-05-02 10：44：10 + 0000 [HoneyPotTransport，21,183.3.202.172上的SSHService ssh-userauth]登录尝试[root /！@]失败
 2016-05-02 10 ：44：11 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，21,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 10：44：13 + 20,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 10：44：14 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，20,183.3.202.172] login attempt [root / 123456] succeeded 
 2016-05-02 11：06：55 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:13849（172.17.0.5:2222）[session：b20915b6] 
 2016- 05-02 11：07：06 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:61338（172.17.0.5:2222）[session： cd38fe51] 
 2016-05-02 11：07：14 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:23048（172.17.0.5:2222）[session：01b12825] 
 2016-05-02 11：07：21 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:60563（172.17.0.5:2222）[session：ad64232b] 
 2016-05- 02 11：07：26 + 0000 [SSHService ssh-userauth在HoneyPotTransport，23,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11：07：27 + 0000 [SSHService ssh-userauth在HoneyPotTransport，23,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 11：07：33 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新连接：183.3.202.172:53653（172.17 .0.5：2222）[session：9c48415b] 
 2016-05-02 11：07：41 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，26,183.3.202.172] login attempt [root /！@] failed 
 2016-05-02 11：07：47 + 0000 [SSHService在HoneyPotTransport上的ssh-userauth，26,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 11：12：25 + 0000 [贝。 ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:18942（172.17.0.5:2222）[session：a4dc4901] 
 2016-05-02 11：12：34 + 0000 [SSHService ssh-userauth on HoneyPotTransport， 27,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11：12：36 + 0000 [SSHService ssh-userauth on HoneyPotTransport，27,183.3.202.172]登录尝试[root / 123456]成功
 2016-05-02 11：32：40 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:40091（172.17.0.5:2222）[session：aeb36234] 
 2016- 05-02 11：32：43 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:53505（172.17.0.5:2222）[session：9022c831] 
 2016-05-02 11： 32：48 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:15131（172.17.0.5:2222）[session：cf62fb9a] 
 2016-05-02 11:32:48 + 0000 [cowrie.ssh.transport.HoneyPotSSHFactory]新建连接：183.3.202.172:15853（172.17.0.5:2222）[session：f2f6c254] 
 2016-05-02 11:32:50 + 0000 [SSHService ssh-usera在HoneyPotTransport上，28,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11:32:52 + 0000 [SSHService在HoneyPotTransport上的ssh-userauth，28,183.3.202.172]登录尝试[root / 123456]已成功
 2016-05-02 11：32：55 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，29,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11 ：32：55 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，30,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11：32：56 + 0000 [HoneySpotTransport上的SSHService ssh-userauth ，30,183.3.202.172]登录尝试[root / 123456]成功
 [SSHService ssh-userauth在HoneyPotTransport上，31,183.3.202.172]登录尝试[root /！@]失败
 2016-05-02 11：32：59 + 0000 [HoneyPotTransport上的SSHService ssh-userauth，31,183.3.202.172]登录尝试[root / 123456]成功
  
因此，前两行的输出应该如下所示： 
 
 端口，状态，AttemptsOnPort，C onnectionsOnIP，恶意的
 15853，失败，4，（使用此端口的IP在日志中出现的次数总和，即使它使用其他端口）
 15853，成功，4,18 
  
 
 
解决方案
此代码以下列格式打印报告。如果不需要，请删除（IP）字段。 
 
 
 
 Port，Status，AttemptOnPort，（ IP），ConnectionsOnIP 
 
为每个用户打印此行。但是， ConnectionsOnIP 是所有 用户和端口的IP地址总数。该代码还单独打印单独的IP报告。查看关于相关问题的评论。
  use strict; 
使用警告; 
 
 my $ file ='logfile.txt'; 
打开我的$ fh_in，'<'，$ file; 
 
＃在数据结构中汇编所需输出的结果：
＃％rept = {
＃$ port => {
＃$ ip => {
＃$ usr => {
＃$ status => $ freq 
＃}，
＃}，
＃}，
＃}; 
＃辅助：％ip_tot = {$ ip => {$ status => $ freq}} 
 
 my（％rept，％ip_tot）; 
 my（$ ip，$ port）; 
 
 while（my $ line =< $ fh_in>）
 {
 if（$ line =〜/ New connection /）{
（$ ip，$端口）= $ line =〜/新建连接：\s +（[^：] +）:( \d +）/; 
 next; 
 
 elsif（！$ ip或！$ port）{next}＃第一行出现在新连接
 
 my（$ usr，$ status）= $ line =〜 m / login attempt \s + \ [（[^ \]] +）\] \ s +（\ w +）/; 
 if（$ usr and $ status）{
 $ rept {$ port} {$ ip} {$ usr} {$ status} ++; 
 $ ip_tot {$ ip} {$ status} ++; 
} 
 else {warn以意外格式行：\ $ $ line} 
} 
 
 print端口，状态，尝试端口， ，ConnectionsOnIP\\\
; 
 foreach我的$端口（排序键％rept）{
 foreach我的$ ip（排序键％{$ rept {$ port}}）{
 foreach我$ usr（排序键％ $ rept {$ port} {$ ip}}）{
 foreach我的$ stat（排序键％{$ rept {$ port} {$ ip} {$ usr}}）{
 print$端口，$统计，$ REPT {$端口} {$ IP} {$ USR} {$ STAT}; 
 print$，（ip），$ ip_tot {$ ip} {$ stat} \\\
; 
} 
} 
} 
} 
 
打印\\\
; 
打印IP，状态，发生次数; 
 foreach my $ ip（sort keys％ip_tot）{
 foreach my $ stat（sort keys％{$ ip_tot {$ ip}}）{
 print$ ip，$ stat，$ ip_tot {$ IP} {$ STAT} \\\
; 
 
 
 
 
 $ b $提供的输入为 logfile.txt 此打印
 
端口，状态，尝试端口，（IP），ConnectionsOnIP 
 15853 ，失败4，（183.3.202.172），12 $ b 15853，成功，3，（183.3.202.172），11 
 18693，失败，1，（183.3.202.172），12 
 18942，失败，1，（183.3.202.172），12 $ b 18942，成功，1，（183.3.202.172），11 $ b 31130，成功，1，（183.3.202.172），11 $ b $ （183.3.202.172），12 $ b $ 46321，成功，1， $ b 47417，成功，3，（183.3.202.172），11 
 53653，失败，1，（183.3.202.172），12 
 53653，成功，1，（183.3.202.172），11 $ b $ 60563，失败，1，（183.3.202.172），12 $ b $ 60563，成功，1，（183.3.202.172），11 
 
知识产权，地位，出现
 183.3.202.172，失败，12 
 183.3.202.172，成功，11 
 
 
 
 
 
 
 正则表达式的解释。这是有效的代码，由 / x 提供。  \ s + 在评论中被忽略。
  my（$ usr ，$ status = $ line =〜m / 
 login \ attempt \s +＃literal，用作'post'来帮助匹配
 \\ [[literal] [其中我们的模式是
（＃开始捕获
 [^ \]] +＃任何不是]的字符，1次或多次
）＃捕获结束
 \] \ s +＃关闭文字] 
（\ w +）＃下一次捕获：任何'单词'字符，1次或更多次
 / x; 
  
它的核心是否定字符类， [^ \]] 。它说：匹配任何一个字符（ [））不是（ ^ ）括号（ \] ），它需要被转义（ \ ）来表示文字字符。它后面的 + 意味着一次或多次次。例如 
 
 
  my $ str ='a5 _.-] B1'; 
 if（$ str =〜m /（[^ \]] +）/）{sayGot：$ 1} 
  
打印得到：a5 _.- 。直到第一个] 的所有内容都被匹配（并被捕获）。这是一种指定非贪婪匹配的方法，可以追溯到给定字符的第一个匹配项。请注意，像。+] 之类的内容会匹配上一次上一次 ] ，是贪婪。
 
 
 请参阅正则表达式教程。针对特定问题搜索SO，以及迷你教程。
 
I have the following script, originally written by @zdim and I tweaked it a bit.
#!/usr/bin/perl

use warnings;
use strict;

my $file = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";
open (LOG, $file);

# Assemble results for required output in data structure:
# %rept = { $port => { $usr => { $status => $freq } };

my %testhash;#new code
my %rept;
my ($ip, $port);

while (my $line = <LOG>)
{
    if ($line =~ /New connection/) {
        ($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/;
        #new code here
        if($ip){
                $testhash{$ip}++;
        }
        #end
        next;
    }

    my ($usr, $status) =  $line =~ m/login\ attempt \s+ \[ ( [^\]]+ ) \] \s+ (\w+)/x;
    if ($usr and $status) {
        $rept{$port}{$usr}{$status}++;
    }
    else { warn "Line with an unexpected format:\n$line" }
}
#close(LOG);
#open (LOG, $file);
#my $frequency = 0;
#while (my $line = <LOG>){
#       if($line =~ /login attempt/){

        #split string, get the ip and match it with original $ip
#       my ($testip) = (split /[\s,:\[\]\/]+/, $line)[-6];
        #print "$testip\n";
        #this two lines above print ips from login attempt line.
#       if($testip =~ /$ip/){
#               $frequency++;
#       }
        #elsif($testip =~ /^(?!$ip)/) {
                # stop frequency counter and start another one?
        #       print "$frequency\n";
        #       $frequency = 0;
        #}

#       }
#}
#print "$frequency\n";
#close(LOG);

#new code
print "ConnectionsOnIP\n";
foreach my $ip (sort keys %testhash){
        print "$testhash{$ip}\n";
}

print "\n";

#new code
print "Port,Status,AttemptOnPort,AttemptsOnIP,Malicious\n";
foreach my $ip (sort keys %testhash){
foreach my $port (sort keys %rept) {
    foreach my $usr (sort keys %{$rept{$port}}) {
        foreach my $stat ( sort keys %{$rept{$port}{$usr}} ) {
                if($port ne ""){
            print "$port,$stat,$rept{$port}{$usr}{$stat},$testhash{$ip}\n";
                }
        }
   }

}
}
#new code
As can be seen, I want to have the desired output which is working at the moment except for the last variable(AttemptsOnIP) I want the AttemptsOnIP variable to do what the AttemptsOnPort does to some extent:
Port,Status,AttemptsOnPort,ConnectionsOnIP,Malicious
15853,failed,4,18
15853,succeeded,4,18
18693,failed,1,18
18942,failed,1,18
18942,succeeded,1,18
31130,succeeded,1,18
43041,failed,1,18
43041,succeeded,1,18
46321,failed,1,18
46321,succeeded,1,18
47417,failed,3,18
47417,succeeded,3,18
48713,failed,1,18
48713,succeeded,1,18
53653,failed,1,18
53653,succeeded,1,18
60563,failed,1,18
60563,succeeded,1,18
I created a hash called testhash and passed it the ip variable to increment it. Now I want to increment this hashed variable depending on the IP of a single line of output. This is the logfile:
2016-05-02 10:20:56+0000 [SSHService ssh-userauth on HoneyPotTransport,14,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:20:57+0000 [SSHService ssh-userauth on HoneyPotTransport,15,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:20:57+0000 [SSHService ssh-userauth on HoneyPotTransport,14,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:20:58+0000 [SSHService ssh-userauth on HoneyPotTransport,15,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:43:32+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:55157 (172.17.0.5:2222) [session: 43283650]
2016-05-02 10:43:46+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:10319 (172.17.0.5:2222) [session: c7702f86]
2016-05-02 10:43:53+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:46321 (172.17.0.5:2222) [session: fe7bb804]
2016-05-02 10:43:57+0000 [SSHService ssh-userauth on HoneyPotTransport,17,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:43:58+0000 [SSHService ssh-userauth on HoneyPotTransport,17,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:43:59+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:18693 (172.17.0.5:2222) [session: d74eae96]
2016-05-02 10:44:02+0000 [SSHService ssh-userauth on HoneyPotTransport,18,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:44:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:31130 (172.17.0.5:2222) [session: 3bde7820]
2016-05-02 10:44:03+0000 [SSHService ssh-userauth on HoneyPotTransport,18,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:44:05+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:47417 (172.17.0.5:2222) [session: 3e177c02]
2016-05-02 10:44:06+0000 [SSHService ssh-userauth on HoneyPotTransport,19,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:44:09+0000 [SSHService ssh-userauth on HoneyPotTransport,19,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:44:10+0000 [SSHService ssh-userauth on HoneyPotTransport,21,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:44:11+0000 [SSHService ssh-userauth on HoneyPotTransport,21,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 10:44:13+0000 [SSHService ssh-userauth on HoneyPotTransport,20,183.3.202.172] login attempt [root/!@] failed
2016-05-02 10:44:14+0000 [SSHService ssh-userauth on HoneyPotTransport,20,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:06:55+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:13849 (172.17.0.5:2222) [session: b20915b6]
2016-05-02 11:07:06+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:61338 (172.17.0.5:2222) [session: cd38fe51]
2016-05-02 11:07:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:23048 (172.17.0.5:2222) [session: 01b12825]
2016-05-02 11:07:21+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:60563 (172.17.0.5:2222) [session: ad64232b]
2016-05-02 11:07:26+0000 [SSHService ssh-userauth on HoneyPotTransport,23,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:07:27+0000 [SSHService ssh-userauth on HoneyPotTransport,23,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:07:33+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:53653 (172.17.0.5:2222) [session: 9c48415b]
2016-05-02 11:07:41+0000 [SSHService ssh-userauth on HoneyPotTransport,26,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:07:47+0000 [SSHService ssh-userauth on HoneyPotTransport,26,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:12:25+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:18942 (172.17.0.5:2222) [session: a4dc4901]
2016-05-02 11:12:34+0000 [SSHService ssh-userauth on HoneyPotTransport,27,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:12:36+0000 [SSHService ssh-userauth on HoneyPotTransport,27,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:32:40+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:40091 (172.17.0.5:2222) [session: aeb36234]
2016-05-02 11:32:43+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:53505 (172.17.0.5:2222) [session: 9022c831]
2016-05-02 11:32:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:15131 (172.17.0.5:2222) [session: cf62fb9a]
2016-05-02 11:32:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 183.3.202.172:15853 (172.17.0.5:2222) [session: f2f6c254]
2016-05-02 11:32:50+0000 [SSHService ssh-userauth on HoneyPotTransport,28,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:32:52+0000 [SSHService ssh-userauth on HoneyPotTransport,28,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:32:55+0000 [SSHService ssh-userauth on HoneyPotTransport,29,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:32:55+0000 [SSHService ssh-userauth on HoneyPotTransport,30,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:32:56+0000 [SSHService ssh-userauth on HoneyPotTransport,30,183.3.202.172] login attempt [root/123456] succeeded
2016-05-02 11:32:57+0000 [SSHService ssh-userauth on HoneyPotTransport,31,183.3.202.172] login attempt [root/!@] failed
2016-05-02 11:32:59+0000 [SSHService ssh-userauth on HoneyPotTransport,31,183.3.202.172] login attempt [root/123456] succeeded
Therefore the output should be as follows for the first two lines
Port,Status,AttemptsOnPort,ConnectionsOnIP,Malicious
    15853,failed,4,(total no of times the IP using this port is seen in log, even if it used other ports)
    15853,succeeded,4,18

 解决方案 
This code prints a report in the following format. Remove (IP) field if undesired.
Port,Status,AttemptOnPort,(IP),ConnectionsOnIP
Such a line is printed for each user.  However, ConnectionsOnIP is the total number of this IP being seen for all users and ports. The code also prints a separate report on IP's alone. See comments about related questions.
use strict;
use warnings;

my $file = 'logfile.txt';
open my $fh_in, '<', $file;

# Assemble results for required output in data structure:
# %rept = {
#    $port => {
#       $ip => {
#           $usr => { 
#               $status => $freq 
#          },
#       },
#   },
# };
# Auxiliary: %ip_tot = { $ip => { $status => $freq } } 

my (%rept, %ip_tot);
my ($ip, $port);

while (my $line = <$fh_in>) 
{
    if ($line =~ /New connection/) {
        ($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/;
        next;
    }   
    elsif (!$ip or !$port) { next }  # First lines come before New connection

    my ($usr, $status) = $line =~ m/login attempt\s+\[([^\]]+)\]\s+(\w+)/;
    if ($usr and $status) {
        $rept{$port}{$ip}{$usr}{$status}++;
        $ip_tot{$ip}{$status}++;
    }   
    else { warn "Line with an unexpected format:\n$line" }
}

print "Port,Status,AttemptOnPort,(IP),ConnectionsOnIP\n";
foreach my $port (sort keys %rept) {
    foreach my $ip (sort keys %{$rept{$port}}) {
        foreach my $usr (sort keys %{$rept{$port}{$ip}}) {
            foreach my $stat ( sort keys %{$rept{$port}{$ip}{$usr}} ) { 
                print "$port,$stat,$rept{$port}{$ip}{$usr}{$stat}";
                print "$,(ip),$ip_tot{$ip}{$stat}\n"; 
            }   
        }   
    }   
}

print "\n";
print "IP,Status,Occurences\n";
foreach my $ip (sort keys %ip_tot) {
    foreach my $stat ( sort keys %{$ip_tot{$ip}} ) {
        print "$ip,$stat,$ip_tot{$ip}{$stat}\n"; 
    }
}
With the supplied input as logfile.txt this prints
Port,Status,AttemptOnPort,(IP),ConnectionsOnIP
15853,failed,4,(183.3.202.172),12
15853,succeeded,3,(183.3.202.172),11
18693,failed,1,(183.3.202.172),12
18942,failed,1,(183.3.202.172),12
18942,succeeded,1,(183.3.202.172),11
31130,succeeded,1,(183.3.202.172),11
46321,failed,1,(183.3.202.172),12
46321,succeeded,1,(183.3.202.172),11
47417,failed,3,(183.3.202.172),12
47417,succeeded,3,(183.3.202.172),11
53653,failed,1,(183.3.202.172),12
53653,succeeded,1,(183.3.202.172),11
60563,failed,1,(183.3.202.172),12
60563,succeeded,1,(183.3.202.172),11

IP,Status,Occurences
183.3.202.172,failed,12
183.3.202.172,succeeded,11




Regex explanation. This is valid code, courtesy of /x. The \s+ are ignored in comments.
my ($usr, $status) =  $line =~ m/ 
    login\ attempt \s+         # literal, serves as a 'post' to help matching 
    \[                         # literal [ within which our pattern is 
        (                      # start capture 
            [^\]]+             # any char which is not ], 1 or more times  
        )                      # end of capture 
    \] \s+                     # closing literal ] 
    (\w+)                      # next capture: any 'word' char, 1 or more times 
/x;
In the heart of this is the negated character class, [ ^\] ]. It says: match any one character ([...]) that is not (^) a bracket (\]), which needs to be escaped (\) to mean the literal character. The + behind it means one-or-more times. For example
my $str = 'a5_".-]B1'; 
if ($str =~ m/([^\]]+)/) { say "Got: $1" }
This prints Got: a5_".-. Everything up to the first ] is matched (and captured). This is one way to specify a non-greedy match, going up to the first occurrence of the given character.  Note that something like .+] would match everything up to the last ], it is greedy.

See the Regular Expressions Tutorial. Search SO for specific questions, for mini-tutorials as well.

                        这篇关于使用perl和散列数据结构从日志文件打印记录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

使用perl和散列数据结构从日志文件打印记录 [英] Print records from log file using perl and hash data structure

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

使用perl和散列数据结构从日志文件打印记录 [英] Print records from log file using perl and hash data structure

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭