首先,我为张贴这个丑陋、冗长的样本而道歉,但这是我能收集到的全部.我正在try 获取恶意软件来源和主机的IP地址.我的模式在主机上工作得很好,但是当我try 返回源IP时,它就中断了,因为在日志(log)的Look Back部分中捕获的模式发生了变化.所以我被困住了.
logs = [
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12446 devicePayloadId=8F003A0D28D9 rt=2023-05-03 00:09:25 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=MIM0002012 TMCMLogDetectedHost=MIM0002012 src=172.16.4.90 TMCMLogDetectedIP=172.16.4.90 cs3Label=SLF_DomainName cs3=Acme act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.60 deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12447 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.61.227 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12448 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.36 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12449 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:59 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.59.13 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12450 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:15 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12451 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:16 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12452 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Windows\\\\System32\\\\svchost.exe dvchost=somedomain.manage.trendmicro.com ",
"May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12453 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01"
]
在本部分中可以找到主机IP:
密码是:
endpoint_ip_list = [re.sub('dst=','',re.search('(?<=src=).*?(?=\s+TMCMLogDetectedIP=)',log).group()) for log in logs]
输出:
['172.16.4.90', '10.10.110.69', '10.10.110.69', '10.10.110.69', '10.10.220.172', '10.10.220.172', '10.10.220.172', '10.10.220.172']
第二部分是源IP(可能的攻击源),在本节中可以找到:
有时,根据策略,日志(log)显示的是域,而不是IP地址.因此,当我为绿色突出显示的部分运行正则表达式时,它显然会中断.
callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]
输出:
callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]
AttributeError: 'NoneType' object has no attribute 'group'
如果您知道有一种方法可以同时捕获同一表达式中的IP和域,那将是完美的,但我对此tbh的任何修复都很满意.谢谢你的帮忙!