[日志分析]工控蜜罐日志分析

Word count: 415   |   Reading time≈ 1 min

题目:工控安全分析人员在互联网上部署了工控仿真蜜罐,通过蜜罐可抓取并分析互联网上针对工业资产的扫描行为,将存在高危扫描行为的IP加入防火墙黑名单可有效减少工业企业对于互联网的攻击面。分析出日志中针对西门子私有通信协议扫描最多的IP,分析该扫描组织。FLAG为该IP的域名。
附件:henoypot.log日志
henoypot.log

脚本:分析出日志中针对西门子私有通信协议扫描最多的IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#-*- coding:utf-8 -*-
import fileinput
import re
import os
import shutil
def readIp():#从日志中获得IP
 with open(r'honeypot.log', 'r') as f:
      for line in f.readlines():
         result2 = re.findall('[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}',line) #匹配ip正则表达式                          
         if not result2 == []:
             result = result2[0] + '\n'
         with open('ip.txt', 'a+') as w:
             w.write(result)
def setIp():#去重
 a=0
 readDir = "ip.txt"
 writeDir = "newip.txt"#new
 lines_seen = set()
 outfile = open(writeDir, "w")
 f = open(readDir, "r")
 for line in f:
   if line not in lines_seen:
     a+=1
     outfile.write(line)
     lines_seen.add(line)
 print(a)
 outfile.close()
def readDns():#域名解析
 with open(r'newip.txt', 'r') as g:
     for i in g.readlines():
         com=os.popen('nslookup %s'%i)
         comm=com.read()
         if comm.find('NXDOMAIN')==-1:
             print comm
if __name__ == '__main__':
 readIp()
 setIp()
 readDns()

NXDOMAIN解释

运行脚本
DNS解析
找到了这么多IP,解析这么多域名,但是我不明白为什么是这个域名,按其他WP来说是,尝试域名…想找捷径。还得继续学。

Donate
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.
  • Copyrights © 2020 Tyrant-K
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信