最近业务中使用了一个入侵检测系统,其前端使用flash实现,查询和导出数据功能非常的不友好。因此,我写一个脚本来实现报警数据的导出和过滤,提高分析的效率。
环境- windows7 x64
- vscode
- pandas,requests
- python2.7
代码
#-*- coding:utf-8 -*-import requestsfrom requests.packages import urllib3import time,csvimport pandas as pdurllib3.disable_warnings()#全局变量session_id=''s = requests.Session()#需要防护的目标地址targets = [ 'x.x.x.x',]#合法的安全测试地址exclude_ips=[ 'y.y.y.y',]#设备的IP地址server_ip = "xx.xx.xx.xx"#获取表def get_table(table_name): global session_id,s,server_ip #cookies cookies = {"JSESSIONID":session_id} page_num=0 #page页码 total_page = 0 #页码总数 从0开始算 page_size = 1000 #单页返回的记录数 table_data = [] #用来保存表中的数据 while page_num <= total_page: #基当前的页码小于页码总数 #请求数据的url url = 'https://%s/query/query%s.action?currentTime=%d' % (server_ip,table_name,int(time.time())) #提交的参数 data = {"pageSize":page_size, "endDate":"2020-02-18 14:00:00", "beginDate":"2020-02-18 00:00:00", "sessionID":session_id, "queryType":"0", "userId":"1", "pageNumber":page_num} #请求表格的数据 r = s.post(url,data=data,cookies=cookies,verify=False) if r.status_code == 200: if page_num == 0:#若是第一页 #计算总页码 total_page = int(r.json()['total'])/page_size print('total_page',total_page) #将数据存储table_data table_data += r.json()['data'] #页码加1 page_num += 1 #如果表内数据不为空 if table_data: #使用pandas处理数据 df = pd.DataFrame(table_data) #过滤函数 filter_condition = lambda x: (x['saddr'] in targets or x['daddr'] in targets) and x['saddr'] not in exclude_ips and x['daddr'] not in exclude_ips df = df[df.apply(filter_condition,axis=1)] #导出为csv文件 df.to_csv('%s.csv'% table_name,encoding='utf-8') def main(): global session_id,s,server_ip #headers headers = { 'Host': server_ip, 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate, br', 'Origin': 'https://%s' % server_ip, 'Connection': 'keep-alive', 'Referer': 'https://%s/index.swf/[[DYNAMIC]]/4' % server_ip, 'Content-type': 'application/x-www-form-urlencoded' } #提交的认证信息 data = {"username":"admin","password":"****","isNeed":False} #登陆 url = 'https://%s/login/login.action?currentTime=%d' % (server_ip,int(time.time())) r = s.post(url,headers = headers,data=data,verify=False) if r.status_code == 200: #获取会话id session_id = r.json()['sessionID'] print session_id #系统中表的名字 table_names = [ 'MaliciousCodeInfectionEvent', 'WebEvent', 'CommunicationBehaviorEvent', 'SpreadMaliciousCodeEvent', 'MaliciousUrlAccessEvent', 'AttackAttemptEvent', 'OtherEvent' ] for table_name in table_names: print table_name #获取表的内容 get_table(table_name)main()