0
Dies ist der Inhalt der Log-Datei habe ichDatenduplizierung wenn Logfile perl mit extra
2016-04-22 14:19:44+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 185.103.252.14:47122 (172.17.0.2:2222) [session: 799f0f37]
2016-04-22 14:19:45+0000 [SSHService ssh-userauth on HoneyPotTransport,15,185.103.252.14] login attempt [admin/1234] succeeded
2016-04-22 14:19:51+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 185.103.252.14:43500 (172.17.0.2:2222) [session: 687010b3]
2016-04-22 14:19:52+0000 [SSHService ssh-userauth on HoneyPotTransport,16,185.103.252.14] login attempt [admin/12345] failed
2016-04-22 14:55:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 203.160.130.217:60302 (172.17.0.2:2222) [session: d3f90a34]
2016-04-22 14:55:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 203.160.130.217:60304 (172.17.0.2:2222) [session: 636c7144]
2016-04-22 14:55:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 203.160.130.217:60303 (172.17.0.2:2222) [session: d5956265]
2016-04-22 14:56:01+0000 [SSHService ssh-userauth on HoneyPotTransport,17,203.160.130.217] login attempt [root/password] succeeded
2016-04-22 14:56:01+0000 [SSHService ssh-userauth on HoneyPotTransport,18,203.160.130.217] login attempt [root/123456] succeeded
2016-04-22 14:56:02+0000 [SSHService ssh-userauth on HoneyPotTransport,19,203.160.130.217] login attempt [root/123456] succeeded
Perl-Skript verwenden, mag ich den Quell-IP und Quellport ausgeben, wenn es eine Zeile mit „Neuer Verbindung“ ist. Dies ist das Skript, das ich bisher habe:
sub cowrieExtractor(){
open(FILE2, $cowrie) or die "Can't open '$cowrie': $!";
# print FILE2 "SourceIP,SourcePort\n";
open(LOG2, $path2) or die "Can't open '$path2': $!";
#while(my $lines = <LOG2>){
#my @x = split /[\s:()]+/,$lines;
#print FILE2 join "\n", @x;
#my ($ip, $port) = (split /[\s:()]+/,$lines)[9,10];
#print FILE2 join ",",($ip, $port);
#print FILE2 "\n";
#we need to out the Source IP, Source Port from New Connection & user/pass from login attempt #use pattern matching if
#}
#To output user and password of login attempt, set $ip variable to the contents of array at that x position of new
#connection to match the ip of the login attempt
$ip = "";
$port = "";
while(my $lines = <LOG2>){
if($lines =~ /New connection/){
($ip, $port) = (split /[\[\]\s:()]+/, $lines)[7,8];
}
#elsif($lines =~ /login attempt/){#and the ip of the new connection
#my($usr, $pass, $status) = (split /[\s:\[\]\/]+/, $lines)[,-1]
#while(my $lines = <LOG2>){
#my @x = split /[\s:()]+/,$lines;
#print FILE2 join "\n", @x;
#my ($ip, $port) = (split /[\s:()]+/,$lines)[9,10];
#print FILE2 join ",",($ip, $port);
#print FILE2 "\n";
#we need to out the Source IP, Source Port from New Connection & user/pass from login attempt #use pattern matching if
#}
#To output user and password of login attempt, set $ip variable to the contents of array at that x position of new
#connection to match the ip of the login attempt
$ip = "";
$port = "";
while(my $lines = <LOG2>){
if($lines =~ /New connection/){
($ip, $port) = (split /[\[\]\s:()]+/, $lines)[7,8];
}
#elsif($lines =~ /login attempt/){#and the ip of the new connection
#my($usr, $pass, $status) = (split /[\s:\[\]\/]+/, $lines)[,-1]
#}
print FILE2 join ",",($ip, $port);
print FILE2 "\n";
}
}
Und dies ist die Ausgabe in einer CSV-Datei:
185.103.252.14,47122
185.103.252.14,47122
185.103.252.14,43500
185.103.252.14,43500
203.160.130.217,60302
203.160.130.217,60304
203.160.130.217,60303
203.160.130.217,60303
203.160.130.217,60303
203.160.130.217,60303
Ich habe eine gewisse Logik irgendwo oder Syntax falsch. Danke für die Hilfe
den Druck an der Klammer, wenn gesetzt. – sigmalha
@sigmalha ja, das hat es gelohnt danke – firepro20