def follow_log(file,key): if os.path.exists(file): if key == 'virus': print('防病毒日志文件开始读取') elif key == 'ids': print('ids日志开始读取') else: print('没有找到该日志') return for line in tailer.follow(open(file, encoding='utf-8', buffering=516)): if key == 'virus': ls_viruslog = [1, 3, 4, 4, 4, 4] log_array = str_split(line, key) log_array = remove_arr(log_array, ls_viruslog) if log_array[4]=='查杀修复失败': msg = virus_module(log_array) print(msg) app.push_log(msg,'virus') elif key == 'ids': ls_idslog = [2, 3, 4, 4, 6] log_array = str_split(line, key) log_array = remove_arr(log_array, ls_idslog) if log_array[1] == 'pri=5' or log_array == 'pri=4': msg = ids_module(log_array) print(msg) app.push_log(msg,'ids') elif key == 'business': trust_ip = ['203.168.15.109'] business_event = abnormal_business(ip=trust_ip,user='******') business_event.is_dangerlogin(line) business_event.is_blockedauth(line)
def mon_dir(str, serverip): filename_re = ".*\s(.+)\sMODIFY.*" time_re = "(\d{2}[/]\d{2}[/]\d{2}\s\d{2}[:]\d{2})" time = re_handle(time_re, str) filename = re_handle(filename_re, str) msg = "警告:%s 探测到目标服务器 %s 关键配置 %s 变更! " % (time, serverip, filename) data = "'%s','%s','%s','关键配置变更'" % (serverip,time,msg) app.db_insert('linux_log', data) app.push_log(msg, 'config_modify')
def is_blockedauth(self, str): if '已锁定账户' in str: blockeduser_re = ".*[(.+)].*" blockeduser = re_handle(blockeduser_re, str) current_time = datetime.datetime.now() msg = "%s警告:业务系统发生对已锁定账户 %s 的登陆行为" % (current_time, blockeduser) print(msg) app.push_log(msg,'business') else: return
def is_dangerlogin(self,str): if 'manager' in str: ip_re = ".*(\d{2,3}[.]\d{2,3}[.]\d{2,3}[.]\d{2,3}).*" date_re = ".*(\d{2}[/].*\d{4}[:]\d{2}[:]\d{2}[:]\d{2}).*" ip = re_handle(ip_re,str) if ip not in self.trust_ip: date = re_handle(date_re,str) if ip: msg = "%s警告:业务系统发生来自%s应用账号异常IP登陆成功" print(msg) app.push_log(msg,'business') else: print('合法IP登陆业务系统成功') else: return
def module_login(str, serverip): ip_re = ".*[\s:](\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}).*" entry_re = ".*([ssh|vnc|rdp]{3,5}).*" auth_user_re = ".*for.{1}(.+).{1}from.*" cureent_time_re = "([Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec]{3,4}\s+\d{1,2}\s.+?)\s.*" if 'Failed password' in str: # 破解行为事件 global repeat_ls global count global start_time real_time = datetime.datetime.now() srcip = re_handle(ip_re, str) entry = re_handle(entry_re, str) auth_user = re_handle(auth_user_re, str) cureent_time = re_handle(cureent_time_re, str) cureent_time = time_format(cureent_time) msg = "警告:%s 主机%s受到来自%s的%s登陆对用户%s破解行为" % (cureent_time, serverip, srcip, entry, auth_user) tmp_ls = [serverip,entry,srcip] print(tmp_ls) if tmp_ls in repeat_ls: count += 1 if count >= 5: print(count) msg = "警告:%s 主机%s受到来自%s的%s登陆对用户%s破解行为 次数%s次" % (cureent_time, serverip, srcip, entry, auth_user,count) data = "'%s','%s','%s','%s'" % (serverip, cureent_time, msg, count) data2 = "'%s','%s','%s','%s'" % (srcip, cureent_time, msg, '破解行为') app.db_insert('破解行为', data) app.db_insert('所有告警日志',data2) print(msg) app.push_log(msg, 'login') else: repeat_ls.append(tmp_ls) print(repeat_ls) now_hour = parser.parse(cureent_time).strftime('%H') jiange = int(now_hour) - int(start_time) if jiange >= 3: repeat_ls.clear() start_time = now_hour print(start_time) elif 'Accepted password' in str: # 登陆成功事件 srcip = re_handle(ip_re, str) entry = re_handle(entry_re, str) cureent_time = re_handle(cureent_time_re, str) cureent_time = time_format(cureent_time) msg = "警告:%s 主机%s 受到来自%s的%s登陆成功!" % (cureent_time, serverip, srcip, entry) data = "'%s','%s','%s','%s登陆成功'"%(serverip,cureent_time,msg,entry) app.db_insert('linux_log',data) print(msg) app.push_log(msg, 'login') elif 'telnet' in str: # telnet登陆事件 cureent_time = re_handle(cureent_time_re, str) cureent_time = time_format(cureent_time) srcip = re_handle(ip_re, str) msg = "警告: %s 主机 %s 收到来自%s 的telnet登陆" % (cureent_time, serverip, srcip) data = "'%s','%s','%s','telnet登陆'" % (serverip, cureent_time, msg) app.db_insert('linux_log', data) print(msg) app.push_log(msg, 'login') else: return
def is_erroraddr(self, str): # 私有地址段:10.0.0.0 -10.255.255.255 # 172.16.0.0 -172.31.255.255 # 192.168.0.0 -192.168.255.255 ip_re = ".*?(\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}).*" ip = re_handle(ip_re, str) user_re = ".*[(.+)].*" user = re_handle(user_re, str) part1_re = "^(\d{1,3})[.].*" part2_re = "^\d{1,3}[.]?(\d{1,3})[.]" firstpart = re_handle(part1_re, ip) secpart = re_handle(part2_re, ip) secpart = int(secpart) if firstpart == '10': pass elif firstpart == '10' and 16 <= secpart <= 31: pass elif firstpart == '10' and secpart == 168: pass else: now_time = datetime.datetime.now() msg = "%s警告: 用户 %s 登陆的地址为非内网IP %s" % (now_time, user, ip) print(msg) app.push_log(msg,'business')
def link_server_client(serverip, user, pwd, cmd, key): print('--开始链接服务器%s' % serverip) client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print('--开始认证--') try: client.connect(serverip, 22, username=user, password=pwd, timeout=10) except Exception: print("服务器%s连接失败"%serverip) return print('--认证成功--') transport = client.get_transport() # 返回SSH的连接对象 channel = transport.open_session() # 创建管道 channel.get_pty() # 激活一个终端 channel.exec_command(cmd) while True: if channel.exit_status_ready(): break try: rl, wl, el = select.select([channel], [], []) # select io处理模块 if len(rl) > 0: recv = channel.recv(1024) recv = recv.decode('utf-8', 'ignore') # ignore 忽略其中有异常的编码 if key == 'auth': module_login(recv, serverip) elif key == 'mondir': mon_dir(recv, serverip) elif key == 'custom': app.push_log('服务器%s连接成功'%serverip,'connect') app.push_log(recv, 'login') elif key == 'ids': ls_idslog = [2, 3, 4, 4, 6] log_array = str_split(recv, key) log_array = remove_arr(log_array, ls_idslog) if log_array[1] == 'pri=5' or log_array == 'pri=4': msg = ids_module(log_array) print(msg) app.push_log(msg, 'ids') elif key == 'virus': ls_viruslog = [1, 3, 4, 4, 4, 4] log_array = str_split(recv, key) log_array = remove_arr(log_array, ls_viruslog) if log_array[4] == '查杀修复失败': msg = virus_module(log_array) print(msg) app.push_log(msg, 'virus') elif key == 'bussiness': pass elif key == 'monlinux_usage': if 'mem warning' in recv: print(recv) # mem_free = re_handle("--(.*)--",recv) current_time = datetime.datetime.now() msg = "警告:%s linux主机%s 内存使用异常超出阈值!"%(current_time,serverip) data = "'%s','%s','%s','%s'" % (serverip, current_time, msg, '内存异常') app.db_insert('所有告警日志', data) app.push_log(msg,'ids') elif 'cpu warning' in recv: # cpu_usage = re_handle("--(.*)--",recv) current_time = datetime.datetime.now() msg = "警告:%s linux主机%s cpu使用异常超出阈值!"%(current_time,serverip) data = "'%s','%s','%s','%s'" % (serverip, current_time, msg, 'cpu异常') app.db_insert('所有告警日志', data) app.push_log(msg, 'ids') print(recv) elif key == 'monwin_usage': if 'mem' in recv: current_time = datetime.datetime.now() msg = "警告:%s win主机%s 内存使用异常超出阈值!"%(current_time,serverip) data = "'%s','%s','%s','%s'" % (serverip, current_time, msg, '内存异常') app.db_insert('所有告警日志', data) app.push_log(msg,'virus') elif 'cpu' in recv: current_time = datetime.datetime.now() msg = "警告:%s win主机%s cpu使用异常超出阈值!" % (current_time, serverip) data = "'%s','%s','%s','%s'" % (serverip, current_time, msg, 'cpu异常') app.db_insert('所有告警日志', data) app.push_log(msg,'virus') print(recv) file_save(recv, 'log %s .txt' % (serverip)) except KeyboardInterrupt: # 遇到Control-C就退出 print("Caught Control-C") channel.send("\x03") channel.close()