arp 病毒告警脚本，设想--求高手转为代码

wildgoose

arp病毒最近比较泛滥，搞得头大，为了最小的减少它的影响，想通过脚本实现攻击的及时发现和告警，实现框架如下：

1。取得路由器的arp表-----方式 snmp，并写入文件。并将该脚本写入crond，每10分钟运行一次。

2。分析路由器取得的arp表，如果某一条ａｒｐ的ｍａｃ地址为路由器的ｍａｃ地址，两个或两个以上不同的ip地址对应同一个mac地址，肯定局域网内存在arp病毒。发现病毒记录下该mac地址并记录时间写入文件（或者数据库）。
　　
3。发布，重记录病毒的文件或者数据库中读取病毒发现报告并在网页发布，网页设置定时刷新，实现自动报警。并设置病毒发现处理标签，如果处理过了，管理员在网页上递交已经处理的标签，并将标签写入数据文件或者数据库，发布程序不再报警该条数据。

powerpolly

关注！

wildgoose

没人感兴趣么？

9er

关注.....一步一步实现..

wmjie

有 arp表 的数据吗？

wildgoose

[root@localhost ~]# snmpwalk   -Cc -c public -v 1 192.168.0.1 .1.3.6.1.2.1.3.1.1.2
RFC1213-MIB::atPhysAddress.3.1.192.168.2.80 = Hex-STRING: 00 06 5B 4B 36 34
RFC1213-MIB::atPhysAddress.3.1.192.168.2.37 = Hex-STRING: 00 19 D1 40 A7 AF
RFC1213-MIB::atPhysAddress.3.1.192.168.2.36 = Hex-STRING: 00 1A A0 BB E6 A3
RFC1213-MIB::atPhysAddress.3.1.192.168.2.101 = Hex-STRING: 08 10 73 07 73 FD
RFC1213-MIB::atPhysAddress.3.1.192.168.2.88 = Hex-STRING: 00 19 E0 DB 41 4F
RFC1213-MIB::atPhysAddress.3.1.192.168.2.85 = Hex-STRING: 00 20 ED 9E 2D 6B
RFC1213-MIB::atPhysAddress.3.1.192.168.2.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.4.1.192.168.3.59 = Hex-STRING: 4C 00 10 11 2E 1F
RFC1213-MIB::atPhysAddress.4.1.192.168.3.11 = Hex-STRING: 00 16 17 8D 8B 1A
RFC1213-MIB::atPhysAddress.4.1.192.168.3.91 = Hex-STRING: 00 19 D1 75 23 32
RFC1213-MIB::atPhysAddress.4.1.192.168.3.250 = Hex-STRING: 00 05 5D 87 BB D0
RFC1213-MIB::atPhysAddress.4.1.192.168.3.77 = Hex-STRING: 00 40 D0 59 6C AB
RFC1213-MIB::atPhysAddress.4.1.192.168.3.102 = Hex-STRING: 00 11 2F 0C 27 C9
RFC1213-MIB::atPhysAddress.4.1.192.168.3.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.5.1.192.168.5.156 = Hex-STRING: 00 11 5B CE 00 67
RFC1213-MIB::atPhysAddress.5.1.192.168.5.71 = Hex-STRING: 00 F0 CF 84 1D 12
RFC1213-MIB::atPhysAddress.5.1.192.168.5.101 = Hex-STRING: 00 D0 09 99 B6 A1
RFC1213-MIB::atPhysAddress.5.1.192.168.5.231 = Hex-STRING: 00 16 CF A0 8A C6
RFC1213-MIB::atPhysAddress.5.1.192.168.5.122 = Hex-STRING: 00 0D 56 74 D7 F3
RFC1213-MIB::atPhysAddress.5.1.192.168.5.103 = Hex-STRING: 00 E0 4C E7 9F 59
RFC1213-MIB::atPhysAddress.5.1.192.168.5.87 = Hex-STRING: 00 14 78 DC 5D 5D
RFC1213-MIB::atPhysAddress.5.1.192.168.5.2 = Hex-STRING: 00 50 8D F1 C1 53
RFC1213-MIB::atPhysAddress.5.1.192.168.5.3 = Hex-STRING: 00 30 F1 6E F2 5E
RFC1213-MIB::atPhysAddress.5.1.192.168.5.4 = Hex-STRING: 00 14 6C A5 16 E8
RFC1213-MIB::atPhysAddress.5.1.192.168.5.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.6.1.192.168.7.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.7.1.192.168.8.63 = Hex-STRING: 00 40 CA CA 33 04
RFC1213-MIB::atPhysAddress.7.1.192.168.8.39 = Hex-STRING: 00 14 6C A5 15 25
RFC1213-MIB::atPhysAddress.7.1.192.168.8.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.8.1.192.168.1.18 = Hex-STRING: 00 0C 29 42 49 4C
RFC1213-MIB::atPhysAddress.8.1.192.168.1.11 = Hex-STRING: 00 14 5E 91 5B 30
RFC1213-MIB::atPhysAddress.8.1.192.168.1.10 = Hex-STRING: 00 14 5E 91 89 DE
RFC1213-MIB::atPhysAddress.8.1.192.168.1.13 = Hex-STRING: 00 02 55 9C 14 02
RFC1213-MIB::atPhysAddress.8.1.192.168.1.1 = Hex-STRING: 00 10 DB 94 73 60
RFC1213-MIB::atPhysAddress.8.1.192.168.1.12 = Hex-STRING: 00 50 8D F1 C1 53
RFC1213-MIB::atPhysAddress.8.1.192.168.1.254 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.9.1.192.168.0.54 = Hex-STRING: 00 D0 D0 FC 63 DE
RFC1213-MIB::atPhysAddress.9.1.192.168.0.5 = Hex-STRING: 00 E0 FC 1C 52 67
RFC1213-MIB::atPhysAddress.9.1.192.168.0.119 = Hex-STRING: 00 0C 29 C5 E9 36
RFC1213-MIB::atPhysAddress.9.1.192.168.0.123 = Hex-STRING: 00 07 E9 EC 5E E6
RFC1213-MIB::atPhysAddress.9.1.192.168.0.56 = Hex-STRING: 00 07 E9 EC 4B 06
RFC1213-MIB::atPhysAddress.9.1.192.168.0.86 = Hex-STRING: 00 07 E9 EC 50 A2
RFC1213-MIB::atPhysAddress.9.1.192.168.0.144 = Hex-STRING: 00 14 2A 9D B1 C1
RFC1213-MIB::atPhysAddress.9.1.192.168.0.174 = Hex-STRING: 00 05 5D A0 05 E9
RFC1213-MIB::atPhysAddress.9.1.192.168.0.120 = Hex-STRING: 00 13 72 C0 8D 51
RFC1213-MIB::atPhysAddress.9.1.192.168.0.77 = Hex-STRING: 00 0A E6 AF 4F 8F
RFC1213-MIB::atPhysAddress.9.1.192.168.0.101 = Hex-STRING: 00 0C 76 F2 9F AD
RFC1213-MIB::atPhysAddress.9.1.192.168.0.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.10.1.192.168.10.84 = Hex-STRING: 00 D0 D0 FD 42 EE
RFC1213-MIB::atPhysAddress.10.1.192.168.10.7 = Hex-STRING: 00 D0 D0 FC 35 4C
RFC1213-MIB::atPhysAddress.10.1.192.168.10.4 = Hex-STRING: 00 D0 D0 FC 34 66
RFC1213-MIB::atPhysAddress.10.1.192.168.10.86 = Hex-STRING: 00 D0 D0 FD 42 E8
RFC1213-MIB::atPhysAddress.10.1.192.168.10.5 = Hex-STRING: 00 D0 D0 FC 63 EB
RFC1213-MIB::atPhysAddress.10.1.192.168.10.11 = Hex-STRING: 00 D0 D0 FC 63 F7
RFC1213-MIB::atPhysAddress.10.1.192.168.10.88 = Hex-STRING: 00 D0 D0 FD EA D6
RFC1213-MIB::atPhysAddress.10.1.192.168.10.90 = Hex-STRING: 00 D0 D0 FD 42 EC
RFC1213-MIB::atPhysAddress.10.1.192.168.10.80 = Hex-STRING: 00 D0 D0 FE 6B 68
RFC1213-MIB::atPhysAddress.10.1.192.168.10.2 = Hex-STRING: 00 D0 D0 FC 76 99
RFC1213-MIB::atPhysAddress.10.1.192.168.10.10 = Hex-STRING: 00 D0 D0 FC 76 98
RFC1213-MIB::atPhysAddress.10.1.192.168.10.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.11.1.192.168.201.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.12.1.192.168.202.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.13.1.10.40.92.106 = Hex-STRING: 00 D0 D0 C8 78 1F
[root@localhost ~]#

rdcwayx

1，你自己已经搞定，把snmpwalk命令加到cronjob 即可。假设得到输出文件：arp_table.
2。有两个条件。
第一个条件　（找出某一条ａｒｐ的ｍａｃ地址为路由器的ｍａｃ地址，　假设有多个路由器地址）

cat mac_list |xargs -i grep {} arp_table

第二个条件　（两个或两个以上不同的ip地址对应同一个mac地址）

$ cat arp_table |cut -d: -f4|sort |uniq -c|sort |awk '{ if ($1>1) print $_}'

3. 　就要你自己解决了。　

wmjie

awk -F":" 'BEGIN{"date +%Y%m%d-%H:%M"|getline time }{if($4 in mac )print "[",time,"]", $0; else mac[$4]=$0}'  filename

把文件中所有 MAC 大于 1条的找出来，是不是就这个意思？

结果：
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.4.1.192.168.3.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.5.1.192.168.5.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.6.1.192.168.7.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.7.1.192.168.8.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.8.1.192.168.1.12 = Hex-STRING: 00 50 8D F1 C1 53
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.8.1.192.168.1.254 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.9.1.192.168.0.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.10.1.192.168.10.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.11.1.192.168.201.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.12.1.192.168.202.1 = Hex-STRING: 00 D0 D0 C0 78 00