App-Waf
view release on metacpan or search on metacpan
lib/App/Waf.pm view on Meta::CPAN
($log,$zcount,$zip,$zrequrl,$zstatus,$siteurl)=initCount($line);
print "==============Attack Summary ==================\n";
print "\nThe total attack count: $zcount \n";
print "\nThe count from source IP: \n\n";
print "$_\=> $zip->{$_} \n" for(sort keys %{$zip});
print "The count From request Url: \n\n";
print "$_\=> $zrequrl->{$_} \n" for(sort keys %{$zrequrl});
print "\n\nThe count From Http Status: \n\n";
print "$_\=> $zstatus->{$_} \n" for(sort keys %{$zstatus});
print "\n\nThe count From Site Url: \n\n";
print "$_\=> $siteurl->{$_} \n" for(sort keys %{$siteurl});
=head2 结åˆnginx å’Œ iptables 进行实时banip的实例(example/banip.pl)
åŠ å…¥crontab æ¯5分钟执行一次。
echo "*/5 * * * * perl $dir/banip.pl >> bianip.logs 2>&1 " >> /var/spool/cron/root
=head1 SUBROUTINES/METHODS
=head2 tail()
IN: $logfile,$count;
OUT: return the the latest $count lines of the $logfile.
=head2 initCount()
IN: the content of need to cheack and count.
OUT: all types count result.
=cut
use File::ReadBackwards;
my $DEBUG = 0;
my @validurl = (
'rfd.php\?include_file',
'\.\./',
'select.+(from|limit)',
'(?:(union(.*?)select))',
'having|rongjitest',
'sleep\((\s*)(\d*)(\s*)\)',
'benchmark\((.*)\,(.*)\)',
'base64_decode\(',
'(?:from\W+information_schema\W)',
'(?:(?:current_)user|database|schema|connection_id)\s*\(',
'(?:etc\/\W*passwd)',
'into(\s+)+(?:dump|out)file\s*',
'group\s+by.+\(',
'xwork.MethodAccessor',
'(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|concat|alert|showmodaldialog)\(',
'xwork\.MethodAccessor',
'(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/',
'java\.lang',
'\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[',
'\<(iframe|script|body|img|layer|div|meta|style|base|object|input)',
'(onmouseover|onerror|onload)\=',
'\.(bak|inc|old|mdb|sql|backup|java|class)$',
'\.(svn|htaccess|bash_history)',
'(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar',
'(phpmyadmin|jmx-console|jmxinvokerservlet)',
'/xmlrpc.php',
'/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\w+).(php|jsp|asp)',
);
sub tail {
my ( $filename, $linenum ) = @_;
print "DEBUG :: tail() :: IN : $filename,$linenum \n" if $DEBUG;
my $bw = File::ReadBackwards->new($filename)
or die "can't read $filename $!";
$linenum=1000 unless $linenum;
my $count = 0;
my @lines;
while ( defined( my $line = $bw->readline ) ) {
push @lines, $line;
$count++;
if ( $count == $linenum ) { last }
}
@lines = reverse @lines;
return \@lines;
}
sub initCount {
my $line = shift;
my @re = @validurl;
my $kcount = shift;
my ( $zcount, $zip, $zrequrl, $zstatus, $siteurl );
my $rawlog;
for (@re) {
my $result = scarlog1( $_, $line );
my ( $mycount, $mylog ) = count($result);
my $key = $_;
$rawlog .= $mylog->{$key} if $mylog->{$key};
$zcount += $mycount->{$key}->[0] if $mycount->{$key}->[0];
print
"DEBUG\:: initCount()\::OUT $key $mycount->{$key}->[0] $zcount \n"
if $DEBUG;
$zip->{$_} += $mycount->{$key}->[1]->{$_}
for ( keys %{ $mycount->{$key}->[1] } );
$zrequrl->{$_} += $mycount->{$key}->[2]->{$_}
for ( keys %{ $mycount->{$key}->[2] } );
if ($DEBUG) {
print
"DEBUG\:: initCount()\::OUT $key $zrequrl->{$_} $_\=> $mycount->{$key}->[2]->{$_} \n"
for ( keys %{ $mycount->{$key}->[2] } );
}
$zstatus->{$_} += $mycount->{$key}->[3]->{$_}
for ( keys %{ $mycount->{$key}->[3] } );
$siteurl->{$_} += $mycount->{$key}->[4]->{$_}
for ( keys %{ $mycount->{$key}->[4] } );
( run in 1.594 second using v1.01-cache-2.11-cpan-2398b32b56e )