按照题目要求,分析蜜罐日志,找出日志中针对西门子私有通信协议扫描最多的IP,分析该扫描组织。
例子
工控蜜罐日志分析
import re
import os
ipDict = {}
def readIp():
with open(r'./honeypot.log','r') as f:
for line in f.readlines():
result = re.findall('New .*7 connection from ([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})',
line)#匹配ip正则表达式
if not result == []:
result = result[0] +'\\n'
with open('./ip.txt','a+') as w:
w.write(result)
def setIp():
readDir ="./ip.txt"
with open(readDir,"r") as f:
lines = f.readlines()
for line in lines:
line = line.replace('\\n','')
ipDict[line] = ipDict.get(line, 0) + 1
def readDns():
ip = max(ipDict, key = ipDict.get)
print(ip)
# for ip in ipDict.keys():
com = os.popen('nslookup %s'% ip)
comm = com.read()
if comm.find('NXDOMAIN') == -1:
print(comm)
if __name__ =='__main__':
readIp()
setIp()
readDns()