perl分析weblog中的攻击事件.

#!/usr/bin/perl -w
my $banner=<<BANNER;
###############################################################
#
#  This is a tool which analyse attack ation in web logfile.
#  Date          : 2008-06-27
#  Author        : Ecore
#  Website        : [url]http://ecore.ishacker.org[/url]
#
################################################################
BANNER


#use strict;
use Getopt::Std;
use vars qw($opt_t $opt_f);

# set command parameter -t as type and -f as filename

getopt("t:f:");


usage()   unless ( defined($opt_t) && defined($opt_f) );

my $log_type = $opt_t;
my $logfilename = $opt_f;
my $line = 0;
my $injectcount = 0;



open(LOGFILE, "<$logfilename") || die "Can't open file:$!\n";

while(<LOGFILE>){
       
        ++$line;
                my ($host, $RFC, $authuser, $timestamp, $TZ, $get, $url, $protocol, $status, $size) = split;

        process_url( $url );

#        print "$url";
       
}


sub usage{

        print $banner;
        print "Usage:\n\n";
        print "$0 -t [ common|combined ] -f /tmp/access.log\n\n";
        exit;
}

my @injection = qw (and);
#my @xsscode = qw (<Script Alert <%00script> javascript %3CSCRIPT%3E);
#my @fileinclude = qw (file= filename= path= [url]http://xxx.xxx/[/url] ../ .. ./ =ftp: =http:);
#my @dirtrav = qw (.. ../ ./ /etc/passwd /etc);
#my @exec = qw (ps dir ping cat cd ls cp );
#my @downbak = qw (xxx.bak xxx.mdb xxx.inc xxx.asa);


# process url field,extract the attack ation.
sub process_url{
        my $extract = shift;
        if ($extract =~/"@injection"/){
        ++$injectcount;
                print "Found sql inject at line $line\n";
        }
}

print "sql inject count: $injectcount\n";


没啥思路了。不知道process_url怎么处理更好些了。

难道俺的问题太烂了？就没有人愿意帮俺我下？

把你想做什么说出来比放这几行代码要好。

我以前有做过分析ip在一天内access apache的次数....找出超过1000次的..
翻翻旧帖吧....

看起来你是要分析哪些IP做了什麽攻击....
建议你可以按照IP攻击的频繁次数..做排序...找出前几名....列入黑名单...