免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 2755 | 回复: 7
打印 上一主题 下一主题

arp 病毒告警脚本,设想--求高手转为代码 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2007-09-12 17:37 |只看该作者 |倒序浏览
arp病毒最近比较泛滥,搞得头大,为了最小的减少它的影响,想通过脚本实现攻击的及时发现和告警,实现框架如下:

1。取得路由器的arp表-----方式 snmp,并写入文件。并将该脚本写入crond,每10分钟运行一次。

2。分析路由器取得的arp表,如果某一条arp的mac地址为路由器的mac地址,两个或两个以上不同的ip地址对应同一个mac地址,肯定局域网内存在arp病毒。发现病毒记录下该mac地址并记录时间写入文件(或者数据库)。
  
3。发布,重记录病毒的文件或者数据库中读取病毒发现报告并在网页发布,网页设置定时刷新,实现自动报警。并设置病毒发现处理标签,如果处理过了,管理员在网页上递交已经处理的标签,并将标签写入数据文件或者数据库,发布程序不再报警该条数据。

论坛徽章:
0
2 [报告]
发表于 2007-09-12 18:50 |只看该作者
关注!

论坛徽章:
0
3 [报告]
发表于 2007-09-14 10:54 |只看该作者
没人感兴趣么?

论坛徽章:
0
4 [报告]
发表于 2007-09-14 15:33 |只看该作者
关注.....一步一步实现..

论坛徽章:
0
5 [报告]
发表于 2007-09-14 15:48 |只看该作者
有 arp表 的数据吗?

论坛徽章:
0
6 [报告]
发表于 2007-09-15 08:21 |只看该作者

以下是snmpwalk的输出

[root@localhost ~]# snmpwalk   -Cc -c public -v 1 192.168.0.1 .1.3.6.1.2.1.3.1.1.2
RFC1213-MIB::atPhysAddress.3.1.192.168.2.80 = Hex-STRING: 00 06 5B 4B 36 34
RFC1213-MIB::atPhysAddress.3.1.192.168.2.37 = Hex-STRING: 00 19 D1 40 A7 AF
RFC1213-MIB::atPhysAddress.3.1.192.168.2.36 = Hex-STRING: 00 1A A0 BB E6 A3
RFC1213-MIB::atPhysAddress.3.1.192.168.2.101 = Hex-STRING: 08 10 73 07 73 FD
RFC1213-MIB::atPhysAddress.3.1.192.168.2.88 = Hex-STRING: 00 19 E0 DB 41 4F
RFC1213-MIB::atPhysAddress.3.1.192.168.2.85 = Hex-STRING: 00 20 ED 9E 2D 6B
RFC1213-MIB::atPhysAddress.3.1.192.168.2.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.4.1.192.168.3.59 = Hex-STRING: 4C 00 10 11 2E 1F
RFC1213-MIB::atPhysAddress.4.1.192.168.3.11 = Hex-STRING: 00 16 17 8D 8B 1A
RFC1213-MIB::atPhysAddress.4.1.192.168.3.91 = Hex-STRING: 00 19 D1 75 23 32
RFC1213-MIB::atPhysAddress.4.1.192.168.3.250 = Hex-STRING: 00 05 5D 87 BB D0
RFC1213-MIB::atPhysAddress.4.1.192.168.3.77 = Hex-STRING: 00 40 D0 59 6C AB
RFC1213-MIB::atPhysAddress.4.1.192.168.3.102 = Hex-STRING: 00 11 2F 0C 27 C9
RFC1213-MIB::atPhysAddress.4.1.192.168.3.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.5.1.192.168.5.156 = Hex-STRING: 00 11 5B CE 00 67
RFC1213-MIB::atPhysAddress.5.1.192.168.5.71 = Hex-STRING: 00 F0 CF 84 1D 12
RFC1213-MIB::atPhysAddress.5.1.192.168.5.101 = Hex-STRING: 00 D0 09 99 B6 A1
RFC1213-MIB::atPhysAddress.5.1.192.168.5.231 = Hex-STRING: 00 16 CF A0 8A C6
RFC1213-MIB::atPhysAddress.5.1.192.168.5.122 = Hex-STRING: 00 0D 56 74 D7 F3
RFC1213-MIB::atPhysAddress.5.1.192.168.5.103 = Hex-STRING: 00 E0 4C E7 9F 59
RFC1213-MIB::atPhysAddress.5.1.192.168.5.87 = Hex-STRING: 00 14 78 DC 5D 5D
RFC1213-MIB::atPhysAddress.5.1.192.168.5.2 = Hex-STRING: 00 50 8D F1 C1 53
RFC1213-MIB::atPhysAddress.5.1.192.168.5.3 = Hex-STRING: 00 30 F1 6E F2 5E
RFC1213-MIB::atPhysAddress.5.1.192.168.5.4 = Hex-STRING: 00 14 6C A5 16 E8
RFC1213-MIB::atPhysAddress.5.1.192.168.5.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.6.1.192.168.7.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.7.1.192.168.8.63 = Hex-STRING: 00 40 CA CA 33 04
RFC1213-MIB::atPhysAddress.7.1.192.168.8.39 = Hex-STRING: 00 14 6C A5 15 25
RFC1213-MIB::atPhysAddress.7.1.192.168.8.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.8.1.192.168.1.18 = Hex-STRING: 00 0C 29 42 49 4C
RFC1213-MIB::atPhysAddress.8.1.192.168.1.11 = Hex-STRING: 00 14 5E 91 5B 30
RFC1213-MIB::atPhysAddress.8.1.192.168.1.10 = Hex-STRING: 00 14 5E 91 89 DE
RFC1213-MIB::atPhysAddress.8.1.192.168.1.13 = Hex-STRING: 00 02 55 9C 14 02
RFC1213-MIB::atPhysAddress.8.1.192.168.1.1 = Hex-STRING: 00 10 DB 94 73 60
RFC1213-MIB::atPhysAddress.8.1.192.168.1.12 = Hex-STRING: 00 50 8D F1 C1 53
RFC1213-MIB::atPhysAddress.8.1.192.168.1.254 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.9.1.192.168.0.54 = Hex-STRING: 00 D0 D0 FC 63 DE
RFC1213-MIB::atPhysAddress.9.1.192.168.0.5 = Hex-STRING: 00 E0 FC 1C 52 67
RFC1213-MIB::atPhysAddress.9.1.192.168.0.119 = Hex-STRING: 00 0C 29 C5 E9 36
RFC1213-MIB::atPhysAddress.9.1.192.168.0.123 = Hex-STRING: 00 07 E9 EC 5E E6
RFC1213-MIB::atPhysAddress.9.1.192.168.0.56 = Hex-STRING: 00 07 E9 EC 4B 06
RFC1213-MIB::atPhysAddress.9.1.192.168.0.86 = Hex-STRING: 00 07 E9 EC 50 A2
RFC1213-MIB::atPhysAddress.9.1.192.168.0.144 = Hex-STRING: 00 14 2A 9D B1 C1
RFC1213-MIB::atPhysAddress.9.1.192.168.0.174 = Hex-STRING: 00 05 5D A0 05 E9
RFC1213-MIB::atPhysAddress.9.1.192.168.0.120 = Hex-STRING: 00 13 72 C0 8D 51
RFC1213-MIB::atPhysAddress.9.1.192.168.0.77 = Hex-STRING: 00 0A E6 AF 4F 8F
RFC1213-MIB::atPhysAddress.9.1.192.168.0.101 = Hex-STRING: 00 0C 76 F2 9F AD
RFC1213-MIB::atPhysAddress.9.1.192.168.0.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.10.1.192.168.10.84 = Hex-STRING: 00 D0 D0 FD 42 EE
RFC1213-MIB::atPhysAddress.10.1.192.168.10.7 = Hex-STRING: 00 D0 D0 FC 35 4C
RFC1213-MIB::atPhysAddress.10.1.192.168.10.4 = Hex-STRING: 00 D0 D0 FC 34 66
RFC1213-MIB::atPhysAddress.10.1.192.168.10.86 = Hex-STRING: 00 D0 D0 FD 42 E8
RFC1213-MIB::atPhysAddress.10.1.192.168.10.5 = Hex-STRING: 00 D0 D0 FC 63 EB
RFC1213-MIB::atPhysAddress.10.1.192.168.10.11 = Hex-STRING: 00 D0 D0 FC 63 F7
RFC1213-MIB::atPhysAddress.10.1.192.168.10.88 = Hex-STRING: 00 D0 D0 FD EA D6
RFC1213-MIB::atPhysAddress.10.1.192.168.10.90 = Hex-STRING: 00 D0 D0 FD 42 EC
RFC1213-MIB::atPhysAddress.10.1.192.168.10.80 = Hex-STRING: 00 D0 D0 FE 6B 68
RFC1213-MIB::atPhysAddress.10.1.192.168.10.2 = Hex-STRING: 00 D0 D0 FC 76 99
RFC1213-MIB::atPhysAddress.10.1.192.168.10.10 = Hex-STRING: 00 D0 D0 FC 76 98
RFC1213-MIB::atPhysAddress.10.1.192.168.10.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.11.1.192.168.201.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.12.1.192.168.202.1 = Hex-STRING: 00 D0 D0 C0 78 00
RFC1213-MIB::atPhysAddress.13.1.10.40.92.106 = Hex-STRING: 00 D0 D0 C8 78 1F
[root@localhost ~]#

论坛徽章:
15
2015年辞旧岁徽章
日期:2015-03-03 16:54:15双鱼座
日期:2015-01-15 17:29:44午马
日期:2015-01-06 17:06:51子鼠
日期:2014-11-24 10:11:13寅虎
日期:2014-08-18 07:10:55酉鸡
日期:2014-04-02 12:24:51双子座
日期:2014-04-02 12:19:44天秤座
日期:2014-03-17 11:43:36亥猪
日期:2014-03-13 08:13:51未羊
日期:2014-03-11 12:42:03白羊座
日期:2013-11-20 10:15:18CU大牛徽章
日期:2013-04-17 11:48:45
7 [报告]
发表于 2007-09-18 10:43 |只看该作者
1,你自己已经搞定,把snmpwalk命令加到cronjob 即可。假设得到输出文件:arp_table.
2。有两个条件。
第一个条件 (找出某一条arp的mac地址为路由器的mac地址, 假设有多个路由器地址)

cat mac_list |xargs -i grep {} arp_table

第二个条件 (两个或两个以上不同的ip地址对应同一个mac地址)

$ cat arp_table |cut -d: -f4|sort |uniq -c|sort |awk '{ if ($1>1) print $_}'

3.  就要你自己解决了。 

论坛徽章:
0
8 [报告]
发表于 2007-09-24 21:46 |只看该作者
awk -F":" 'BEGIN{"date +%Y%m%d-%H:%M"|getline time }{if($4 in mac )print "[",time,"]", $0; else mac[$4]=$0}'  filename

把文件中所有 MAC 大于 1条的找出来,是不是就这个意思?

结果:
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.4.1.192.168.3.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.5.1.192.168.5.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.6.1.192.168.7.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.7.1.192.168.8.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.8.1.192.168.1.12 = Hex-STRING: 00 50 8D F1 C1 53
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.8.1.192.168.1.254 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.9.1.192.168.0.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.10.1.192.168.10.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.11.1.192.168.201.1 = Hex-STRING: 00 D0 D0 C0 78 00
[ 20070914-21:28 ] RFC1213-MIB::atPhysAddress.12.1.192.168.202.1 = Hex-STRING: 00 D0 D0 C0 78 00
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP