0
ich folgendes Logfile haben, und ich möchte die Häufigkeit von bestimmten IP-Adressen ausgeben, die in der Datei sind:die Häufigkeit von separaten IP Counting Einträge PERL
2016-04-29 15:08:47+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:34826 (172.17.0.2:2222) [session: c9d2f438]
2016-04-29 15:08:48+0000 [SSHService ssh-userauth on HoneyPotTransport,10,159.122.123.181] login attempt [root/password] succeeded
2016-04-29 15:08:56+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51999 (172.17.0.2:2222) [session: 57235446]
2016-04-29 15:08:56+0000 [SSHService ssh-userauth on HoneyPotTransport,11,159.122.123.181] login attempt [root/toor] failed
2016-04-29 15:08:57+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:46466 (172.17.0.2:2222) [session: 03862a50]
2016-04-29 15:09:00+0000 [SSHService ssh-userauth on HoneyPotTransport,12,159.122.123.181] login attempt [root/unix] failed
2016-04-29 15:09:02+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56756 (172.17.0.2:2222) [session: 9b8cd979]
2016-04-29 15:09:03+0000 [SSHService ssh-userauth on HoneyPotTransport,13,159.122.123.181] login attempt [root/test123] failed
2016-04-29 15:09:04+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:50215 (172.17.0.2:2222) [session: 2e68b87e]
2016-04-29 15:09:07+0000 [SSHService ssh-userauth on HoneyPotTransport,14,159.122.123.181] login attempt [root/toor123] failed
2016-04-29 15:09:08+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58407 (172.17.0.2:2222) [session: f8d1d9ae]
2016-04-29 15:09:12+0000 [SSHService ssh-userauth on HoneyPotTransport,15,159.122.123.181] login attempt [shell/shell] failed
2016-04-29 15:09:13+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:48225 (172.17.0.2:2222) [session: 091fcb7e]
2016-04-29 15:09:17+0000 [SSHService ssh-userauth on HoneyPotTransport,16,159.122.123.181] login attempt [admin/root] failed
2016-04-29 15:09:18+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:35815 (172.17.0.2:2222) [session: 49ad22eb]
2016-04-29 15:09:20+0000 [SSHService ssh-userauth on HoneyPotTransport,17,159.122.123.181] login attempt [root/admin] succeeded
2016-04-29 15:09:27+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58114 (172.17.0.2:2222) [session: e214b2c4]
2016-04-29 15:09:28+0000 [SSHService ssh-userauth on HoneyPotTransport,18,159.122.123.181] login attempt [admin/admin] succeeded
2016-04-29 15:09:35+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:45180 (172.17.0.2:2222) [session: 61c00c6c]
2016-04-29 15:09:36+0000 [SSHService ssh-userauth on HoneyPotTransport,19,159.122.123.181] login attempt [guest/guest123] failed
2016-04-29 15:09:38+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:37525 (172.17.0.2:2222) [session: d19434e3]
2016-04-29 15:09:42+0000 [SSHService ssh-userauth on HoneyPotTransport,20,159.122.123.181] login attempt [root/webmaster] failed
2016-04-29 15:09:43+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:36967 (172.17.0.2:2222) [session: de78048a]
2016-04-29 15:09:44+0000 [SSHService ssh-userauth on HoneyPotTransport,21,159.122.123.181] login attempt [admin/administrator] failed
2016-04-29 15:09:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56465 (172.17.0.2:2222) [session: 58eeea98]
2016-04-29 15:09:47+0000 [SSHService ssh-userauth on HoneyPotTransport,22,159.122.123.181] login attempt [mysql/mysql] failed
2016-04-29 15:09:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51145 (172.17.0.2:2222) [session: 905c8982]
2016-04-29 15:09:50+0000 [SSHService ssh-userauth on HoneyPotTransport,23,159.122.123.181] login attempt [root/shell] failed
2016-04-29 15:09:51+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:54406 (172.17.0.2:2222) [session: c6f21bfe]
2016-04-29 15:09:53+0000 [SSHService ssh-userauth on HoneyPotTransport,24,159.122.123.181] login attempt [guest/guest] failed
2016-04-29 15:09:55+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58764 (172.17.0.2:2222) [session: 167d51cf]
2016-04-29 15:09:56+0000 [SSHService ssh-userauth on HoneyPotTransport,25,159.122.123.181] login attempt [root/linux] failed
2016-04-29 15:09:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:57158 (172.17.0.2:2222) [session: daa3fc72]
2016-04-29 15:10:01+0000 [SSHService ssh-userauth on HoneyPotTransport,26,159.122.123.181] login attempt [unix/unix] failed
2016-04-29 15:15:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:42359 (172.17.0.2:2222) [session: 930332a7]
2016-04-29 15:15:50+0000 [SSHService ssh-userauth on HoneyPotTransport,27,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b5]
2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport,28,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1]
2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566]
2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37d]
2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport,0,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a3]
2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport,1,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550df]
2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,2,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c]
2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test1234] failed
2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
Dies ist das Perl-Skript, das ich so weit, kindly zur Verfügung gestellt von @zdim in a previous post und ein bisschen gezwickt, wie unten dargestellt:
#!/usr/bin/perl
use warnings;
use strict;
my $file = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";
open (LOG, $file);
# Assemble results for required output in data structure:
# %rept = { $port => { $usr => { $status => $freq } };
my $frequency = 0;
my %rept;
my ($ip, $port);
while (my $line = <LOG>)
{
if ($line =~ /New connection/) {
($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/;
next;
}
my ($usr, $status) = $line =~ m/login\ attempt \s+ \[ ([^\]]+) \] \s+ (\w+)/x;
if ($usr and $status) {
$rept{$port}{$usr}{$status}++;
}
else { warn "Line with an unexpected format:\n$line" }
}
close(LOG);
open (LOG, $file);
while (my $line = <LOG>){
if($line =~ /login attempt/){
#split string, get the ip and match it with original $ip
my ($testip) = (split /[\s,:\[\]\/]+/, $line)[-6];
#print "$testip\n";
#this two lines above print ips from login attempt line.
if($testip =~ /$ip/){
$frequency++;
}
else {
# stop frequency counter and start another one?
print "$frequency\n";
$frequency = 0;
}
}
}
print "$frequency\n";
close(LOG);
im Moment wird die Ausgabe wie folgt, die für die letzten drei Einträge in der Protokolldatei als IP arbeitet in dem Ende 3 mal gesehen :
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
Was mache ich falsch? Ich schätze all deine Hilfe. Danke
Was für diese Beispieldaten die erwartete Ausgabe ist? – bart
Handelt es sich bei Ihrem zweiten 'while' nur um den Ausdruck der Frequenzen? Sie haben das in dem Hash von meinem vorherigen Post auch richtig für diese Eingabe. In der letzten Zeile der verschachtelten 'foreach', in der die Ergebnisse ausgedruckt werden, können nur die Häufigkeiten gedruckt werden:' print '$ rept {$ port} {$ usr} {$ stat} \ n "'. Dann brauchst du das zweite 'while' nicht. (Ich muss eine Erklärung zu diesem Beitrag schreiben und werde das tun.) Beantwortet das die Frage? Wenn nicht, bitte klarstellen. – zdim
Ja, der einzige Zweck ist das Drucken der Frequenzen ** basierend auf IP ** im Gegensatz zu dem anderen Post, der auf dem Quellport basiert. Ich möchte wissen, wie Hash funktioniert, also warte ich auf deine Erklärung auf dem vorherigen Post. Vielen Dank. Wenn Sie meinen Kommentar zu dem anderen Beitrag sehen, möchte ich, wenn es möglich ist, auch die Anzahl der Vorkommen der IP per se zählen, so dass ich den Port, den Status, das Vorkommen von usr pass combo über IP und kein Vorkommen weitergeben kann der IP selbst – firepro20