Ecore
perl分析weblog中的攻击事件.
#!/usr/bin/perl -w
my $banner=<<BANNER;
###############################################################
#
# This is a tool which analyse attack ation in web logfile.
# Date : 2008-06-27
# Author : Ecore
# Website : [url]http://ecore.ishacker.org[/url]
#
################################################################
BANNER
#use strict;
use Getopt::Std;
use vars qw($opt_t $opt_f);
# set command parameter -t as type and -f as filename
getopt("t:f:");
usage() unless ( defined($opt_t) && defined($opt_f) );
my $log_type = $opt_t;
my $logfilename = $opt_f;
my $line = 0;
my $injectcount = 0;
open(LOGFILE, "<$logfilename") || die "Can't open file:$!/n";
while(<LOGFILE>){
++$line;
my ($host, $RFC, $authuser, $timestamp, $TZ, $get, $url, $protocol, $status, $size) = split;
process_url( $url );
# print "$url";
}
sub usage{
print $banner;
print "Usage:/n/n";
print "$0 -t [ common|combined ] -f /tmp/access.log/n/n";
exit;
}
my @injection = qw (and);
#my @xsscode = qw (<Script Alert <%00script> javascript %3CSCRIPT%3E);
#my @fileinclude = qw (file= filename= path= [url]http://xxx.xxx/[/url] ../ .. ./ =ftp: =http:);
#my @dirtrav = qw (.. ../ ./ /etc/passwd /etc);
#my @exec = qw (ps dir ping cat cd ls cp );
#my @downbak = qw (xxx.bak xxx.mdb xxx.inc xxx.asa);
# process url field,extract the attack ation.
sub process_url{
my $extract = shift;
if ($extract =~/"@injection"/){
++$injectcount;
print "Found sql inject at line $line/n";
}
}
print "sql inject count: $injectcount/n";
没啥思路了。不知道process_url怎么处理更好些了。