kk的blog

2018/12/29

之前就一直想從http的log裡找出一些不正常的網路行為
但實行上有點麻煩
要麼就要在每台上去解析log再把資料收回來處理
要麼就是在每台 web server 設定把log丟到一台log server 再來處理這些log
但以上都會碰到相同的問題
就是log格式都不同
處理起來相當不方便
bro ids 解決了這個問題
因為她把http的訊息存成 http.log
由於是port mirror的資料
所以不用管是用什麼web server 沒有格式的問題
以下是收到的部分相關log

"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.232953 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 78 GET 10.10.10.10 /phpmyadmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057225.584942 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 97 GET 10.10.10.10 /phpMyAdmin__/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.108940 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 83 GET 10.10.10.10 /xampp/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057214.432996 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 47 POST 10.10.10.10 /mm.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 33 0 - - - - (empty) - - - FtjKnE4d9dGZ1eTimg - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.824968 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 87 GET 10.10.10.10 /phpmyadmin-old/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.248956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 63 GET 10.10.10.10 /dbadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057210.580951 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 26 POST 10.10.10.10 /xiaohei.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 28 0 - - - - (empty) - - - F2YNwr3qgj6VkZiouf - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057215.136950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 51 GET 10.10.10.10 /index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.020960 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 56 GET 10.10.10.10 /PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.484938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 70 GET 10.10.10.10 /admin/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.308939 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 69 GET 10.10.10.10 /admin/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.648956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 86 GET 10.10.10.10 /tools/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.196985 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 57 GET 10.10.10.10 /PMA2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.937003 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 82 GET 10.10.10.10 /myadmin2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057213.724938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 43 POST 10.10.10.10 /test123.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 21 0 - - - - (empty) - - - FIDl5w1kIO2VHsjo8a - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.163288 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 72 GET 10.10.10.10 /mysqladmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.704931 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 75 GET 10.10.10.10 /phpadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.528944 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 91 GET 10.10.10.10 /claroline/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.776981 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 66 GET 10.10.10.10 /admin/PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057211.996955 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 34 POST 10.10.10.10 /zxc2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 27 0 - - - - (empty) - - - Ft1eC04yYKwCWhrTPi - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.884950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 93 GET 10.10.10.10 /phpma/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.508999 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 17 GET 10.10.10.10 /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.352989 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 5 GET 10.10.10.10 /phpMyAdmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.144976 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 15 GET 10.10.10.10 /mysql/sqlmanager/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.681003 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 18 GET 10.10.10.10 /manager/html - - Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.000982 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 3 GET 10.10.10.10 /phpMyAdmion/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F3YCn01Lompw5GiAdh - text/plain"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057226.644633 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 1 GET 10.10.10.10 /shaAdmin/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F6zWHY3ZersNuWiVX2 - text/plain"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057189.296983 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 30 POST 10.10.10.10 /1hou.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FFzi3l4NQmxiu0bsfg - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057194.068951 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 50 POST 10.10.10.10 /sha.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FjR3jA2532rlkSNbEf - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057202.900966 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 88 POST 10.10.10.10 /2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - F3ewddDCWbrsByyN8 - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057193.716947 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 48 POST 10.10.10.10 /core.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - FMBWxFbha0axdctTj - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057185.908958 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 11 POST 10.10.10.10 /aaaa.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - Fsbkfe4RxpY2HRVpkg - text/plain FGwnQrbAvp4Iov629 - -"

除了偽裝成不同OS跟不同browser之外

再來就是一直try各種預設管理軟体的路徑及檔案

封包丟過來不一定會等回應

所以不一定會有 404 的回應碼

可以用搜尋關鍵字的方式

找出有問題的 ip 來處理

沒有留言:

張貼留言

訂閱：張貼留言 (Atom)