原本在snort設定的portscan偵測看起來發揮了不少作用

今天再加上特徵值的偵測阻擋

目前門檻值先設為100

即某個ip觸犯snort的rule到達100次後便加以封鎖

先醬觀察看看

程式碼如下

#!/usr/bin/python

import MySQLdb

db = MySQLdb.connect(host="localhost", user="root", passwd="abcd1234", db="snort")

cursor = db.cursor()

cursor.execute("select count(*) as cnt,inet_ntoa(ip_src) from event,iphdr where event.cid=iphdr.cid and event.sid=iphdr.sid and DATE(event.timestamp) = CURDATE() group by ip_src order by cnt")

result = cursor.fetchall()

#fetch select result to list

if result:

        for record in result:

                if record[0]>100:

                #set malice count 100

                        print record[1]

db.close()