0
Я следующий логфайл и я хочу, чтобы вывести частоту различных IP-адресов, которые находятся в файле:Подсчет частоты индивидуальный IP записей PERL
2016-04-29 15:08:47+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:34826 (172.17.0.2:2222) [session: c9d2f438]
2016-04-29 15:08:48+0000 [SSHService ssh-userauth on HoneyPotTransport,10,159.122.123.181] login attempt [root/password] succeeded
2016-04-29 15:08:56+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51999 (172.17.0.2:2222) [session: 57235446]
2016-04-29 15:08:56+0000 [SSHService ssh-userauth on HoneyPotTransport,11,159.122.123.181] login attempt [root/toor] failed
2016-04-29 15:08:57+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:46466 (172.17.0.2:2222) [session: 03862a50]
2016-04-29 15:09:00+0000 [SSHService ssh-userauth on HoneyPotTransport,12,159.122.123.181] login attempt [root/unix] failed
2016-04-29 15:09:02+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56756 (172.17.0.2:2222) [session: 9b8cd979]
2016-04-29 15:09:03+0000 [SSHService ssh-userauth on HoneyPotTransport,13,159.122.123.181] login attempt [root/test123] failed
2016-04-29 15:09:04+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:50215 (172.17.0.2:2222) [session: 2e68b87e]
2016-04-29 15:09:07+0000 [SSHService ssh-userauth on HoneyPotTransport,14,159.122.123.181] login attempt [root/toor123] failed
2016-04-29 15:09:08+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58407 (172.17.0.2:2222) [session: f8d1d9ae]
2016-04-29 15:09:12+0000 [SSHService ssh-userauth on HoneyPotTransport,15,159.122.123.181] login attempt [shell/shell] failed
2016-04-29 15:09:13+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:48225 (172.17.0.2:2222) [session: 091fcb7e]
2016-04-29 15:09:17+0000 [SSHService ssh-userauth on HoneyPotTransport,16,159.122.123.181] login attempt [admin/root] failed
2016-04-29 15:09:18+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:35815 (172.17.0.2:2222) [session: 49ad22eb]
2016-04-29 15:09:20+0000 [SSHService ssh-userauth on HoneyPotTransport,17,159.122.123.181] login attempt [root/admin] succeeded
2016-04-29 15:09:27+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58114 (172.17.0.2:2222) [session: e214b2c4]
2016-04-29 15:09:28+0000 [SSHService ssh-userauth on HoneyPotTransport,18,159.122.123.181] login attempt [admin/admin] succeeded
2016-04-29 15:09:35+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:45180 (172.17.0.2:2222) [session: 61c00c6c]
2016-04-29 15:09:36+0000 [SSHService ssh-userauth on HoneyPotTransport,19,159.122.123.181] login attempt [guest/guest123] failed
2016-04-29 15:09:38+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:37525 (172.17.0.2:2222) [session: d19434e3]
2016-04-29 15:09:42+0000 [SSHService ssh-userauth on HoneyPotTransport,20,159.122.123.181] login attempt [root/webmaster] failed
2016-04-29 15:09:43+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:36967 (172.17.0.2:2222) [session: de78048a]
2016-04-29 15:09:44+0000 [SSHService ssh-userauth on HoneyPotTransport,21,159.122.123.181] login attempt [admin/administrator] failed
2016-04-29 15:09:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56465 (172.17.0.2:2222) [session: 58eeea98]
2016-04-29 15:09:47+0000 [SSHService ssh-userauth on HoneyPotTransport,22,159.122.123.181] login attempt [mysql/mysql] failed
2016-04-29 15:09:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51145 (172.17.0.2:2222) [session: 905c8982]
2016-04-29 15:09:50+0000 [SSHService ssh-userauth on HoneyPotTransport,23,159.122.123.181] login attempt [root/shell] failed
2016-04-29 15:09:51+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:54406 (172.17.0.2:2222) [session: c6f21bfe]
2016-04-29 15:09:53+0000 [SSHService ssh-userauth on HoneyPotTransport,24,159.122.123.181] login attempt [guest/guest] failed
2016-04-29 15:09:55+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58764 (172.17.0.2:2222) [session: 167d51cf]
2016-04-29 15:09:56+0000 [SSHService ssh-userauth on HoneyPotTransport,25,159.122.123.181] login attempt [root/linux] failed
2016-04-29 15:09:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:57158 (172.17.0.2:2222) [session: daa3fc72]
2016-04-29 15:10:01+0000 [SSHService ssh-userauth on HoneyPotTransport,26,159.122.123.181] login attempt [unix/unix] failed
2016-04-29 15:15:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:42359 (172.17.0.2:2222) [session: 930332a7]
2016-04-29 15:15:50+0000 [SSHService ssh-userauth on HoneyPotTransport,27,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b5]
2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport,28,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1]
2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566]
2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37d]
2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport,0,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a3]
2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport,1,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550df]
2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,2,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c]
2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test1234] failed
2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
Это сценарий Perl у меня есть до сих пор, любезно обеспечивается @zdim in a previous post и отлажены немного, как показано ниже:
#!/usr/bin/perl
use warnings;
use strict;
my $file = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";
open (LOG, $file);
# Assemble results for required output in data structure:
# %rept = { $port => { $usr => { $status => $freq } };
my $frequency = 0;
my %rept;
my ($ip, $port);
while (my $line = <LOG>)
{
if ($line =~ /New connection/) {
($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/;
next;
}
my ($usr, $status) = $line =~ m/login\ attempt \s+ \[ ([^\]]+) \] \s+ (\w+)/x;
if ($usr and $status) {
$rept{$port}{$usr}{$status}++;
}
else { warn "Line with an unexpected format:\n$line" }
}
close(LOG);
open (LOG, $file);
while (my $line = <LOG>){
if($line =~ /login attempt/){
#split string, get the ip and match it with original $ip
my ($testip) = (split /[\s,:\[\]\/]+/, $line)[-6];
#print "$testip\n";
#this two lines above print ips from login attempt line.
if($testip =~ /$ip/){
$frequency++;
}
else {
# stop frequency counter and start another one?
print "$frequency\n";
$frequency = 0;
}
}
}
print "$frequency\n";
close(LOG);
Сейчас выход следующим образом, который работает в течение последних трех записей в файле журнала, как IP усматривается 3 раза в конце :
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
Что я делаю неправильно? Я ценю вашу помощь. Thankyou
Каков ожидаемый выход для этой выборки данных? – bart
Является ли цель вашего второго 'while' исключительно для распечатки частот? У вас есть это в хеше с моего предыдущего поста, правильно для этого ввода. В последней строке вложенных 'foreach', где распечатываются результаты, вы можете печатать только частоты:' print '$ rept {$ port} {$ usr} {$ stat} \ n "'. Тогда вам не понадобится вторая 'while'. (Я должен написать объяснение на эту должность и сделаю это.) Отвечает ли это на этот вопрос? Если нет, уточните пожалуйста. – zdim
Да, единственная цель - напечатать частоты ** на основе IP ** в отличие от другого сообщения, которое основано на исходном порту. Я хочу знать, как работает хэш, поэтому я жду вашего объяснения на предыдущем посту. Спасибо. Если вы увидите мой комментарий к другому сообщению, если это возможно, я также хотел бы подсчитать количество вхождений IP как такового, чтобы у меня был порт, статус, появление компромисса usr pass, переданного по IP, и отсутствие события IP-сам по себе – firepro20