0

私は perl の新人です :) 助けが必要です。log.txt を解析したいのですが、混乱しており、このコーディングについてよくわかりません。

log.pcap を試してみましたが、必要ないようです。だから、再帰的にpcapを解析するのではなく、テキストを解析したい。私のコーディングを編集する人はいますか?? http://pastebin.com/mwZ1y2kM

これは私の log.txt です: (入力) http://pastebin.com/P0g0D6Pi

Frame 1 (640 bytes on wire, 640 bytes captured)
   Arrival Time: Jan 31, 2012 19:41:17.121115000
   [Time delta from previous captured frame: 0.000000000 seconds]
   [Time delta from previous displayed frame: 0.000000000 seconds]
   [Time since reference or first frame: 0.000000000 seconds]
   Frame Number: 1
   Frame Length: 640 bytes
   Capture Length: 640 bytes
   [Frame is marked: False]
   [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: SunMicro_45:39:78 (01:24:4c:50:79:95), Dst:
Cisco_03:3c:dc (03:49:12:65:3f:dc)
   Destination: Cisco_03:3c:dc (03:49:12:65:3f:dc)
       Address: Cisco_03:3c:dc (03:49:12:65:3f:dc)
       .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
   Source: SunMicro_45:39:78 (01:24:4c:50:79:95)
       Address: SunMicro_45:39:78 (01:24:4c:50:79:95)
       .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
   Type: IP (0x0800)
Internet Protocol, Src: 221.255.225.143 (221.255.225.143), Dst:
10.12.264.43 (10.12.264.43)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN:
0x01)
       0000 00.. = Differentiated Services Codepoint: Default (0x01)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 626
   Identification: 0x3b68 (15208)
   Flags: 0x02 (Don't Fragment)
       0.. = Reserved bit: Not Set
       .1. = Don't fragment: Set
       ..0 = More fragments: Not Set
   Fragment offset: 0
   Time to live: 118
   Protocol: TCP (0x06)
   Header checksum: 0xfc4b [correct]
       [Good: True]
       [Bad : False]
   Source:221.255.225.143 (221.255.225.143)
   Destination: 10.12.264.43 (10.12.264.43)
Transmission Control Protocol, Src Port: 45267 (45267), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 566
   Source port: 45267 (45267)
   Destination port: http (80)
   [Stream index: 0]
   Sequence number: 1    (relative sequence number)
   [Next sequence number: 587    (relative sequence number)]
   Acknowledgement number: 1    (relative ack number)
   Header length: 20 bytes
   Flags: 0x18 (PSH, ACK)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...1 .... = Acknowledgement: Set
       .... 1... = Push: Set
       .... .0.. = Reset: Not set
       .... ..0. = Syn: Not set
       .... ...0 = Fin: Not set
   Window size: 17520
   Checksum: 0xc19e [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]
   [SEQ/ACK analysis]
       [Number of bytes in flight: 586]
Hypertext Transfer Protocol
   [truncated] GET /index.php?page=rilis&artikel=999999.9%27+union+all
+select+0x31303235343830303536%2C
       [[truncated] Expert Info (Chat/Sequence): GET /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
           [Message [truncated]: GET /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
           [Severity level: Chat]
           [Group: Sequence]
       Request Method: GET
       Request URI [truncated]: /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
       Request Version: HTTP/1.1
   Host: example.com\r\n
   Accept: */*\r\n
   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
SV1; .NET CLR 2.0.50727) Havij\r\n
   Connection: Close\r\n
   \r\n

ええ、私はこのように解析したい: (出力)

Time: Jan 31, 2012 19:41:17
   IP Address Source: 221.255.225.143
           Mac Address Source: 010912063cfc
           Port Numbers Source: 44535
   IP Address Destination: 10.12.264.43
           Mac Address Destination: 00f04c080788
           Port Numbers Destination: 3306
   HTTP Host: example.com
           Request Method: GET
           Request URI: /index.php?page=rilis artikel=999999.9%27+union
                         +all+select+0x31303235343830303536%2C
           Tool: Havij

ありがとう...助けてくれる?私は今何をしているのか...

4

2 に答える 2

1

Net::Pcapまたはここで説明されているアプローチを試しましたか?

于 2012-03-04T23:03:04.507 に答える
1

あなたのログ行は少し奇妙です。一部のフィールド (リクエスト URI およびツール) には、予期しないコロンの前にスペースが含まれています。ログの行にこれらの予期しないスペースが実際に含まれていることを確認します。また、Port Numbers が Source または Destination 修飾子なしで 2 回表示されるのは少し驚くべきことです。もう一度、実際のログ ファイルを確認してください。次のコード スニペットは、質問に投稿されたログ行に対して機能します。フィールド名は一意ではないため、常に同じ順序で出力されると想定されます。

my @fields = ('Time', 'IP Address Source', 'Mac Address Source', 'Port Numbers',
    'IP Address Destination', 'Mac Address Destination', 'Port Numbers', 'HTTP Host',
    'Request Method', 'Request URI ', 'Tool ');

my $re = join(':\s+(.*?)\s+', @fields);
$re .= ':\s+(.*)';

warn $re;

$line = 'Time: Jan 31, 2012 19:41:17 IP Address Source: 221.255.225.143 Mac Address Source: 010912063cfc Port Numbers: 44535 IP Address Destination: 10.12.264.43 Mac Address Destination: 00f04c080788 Port Numbers: 3306 HTTP Host: example.com Request Method: GET Request URI : /index.php?page=rilis artikel=999999.9%27+union +all+select+0x31303235343830303536%2C Tool : Havij';

my @values = $line =~ /$re/;

print "values = @values\n"
于 2012-03-04T18:04:55.933 に答える