简单实现http流量包异常检测

环境配置：

参考http://www.jianshu.com/p/34ad48e4ec78

---

代码：

#! /usr/bin/env python
#coding=utf-8

from scapy.all import *
import time
import re

def timestamp2time(timestamp):
    timeArray = time.localtime(timestamp)
    mytime = time.strftime("%Y-%m-%d %H:%M:%S", timeArray)
    return mytime

def pack_callback(packet):
    if packet[TCP].payload:
        strpacket=str(packet[TCP].payload)
        host = re.search('Host: ([a-zA-Z0-9.-]*)\r\n', strpacket)
        URL = re.search('(GET|HEAD|POST|DELETE) (.*) HTTP/1.1\r\n', strpacket)
        useragent = re.search('User-Agent: (.*)\r\n', strpacket)

        if URL:
            domain = host.group(1)
            url = URL.group(2)
            agent = useragent.group(1)

            if "/etc/passwd" in url.lower():
                print "%s --- %s:%s --> %s:%s(%s) >>>文件包含" \
                %(timestamp2time(packet.time),packet[IP].src,packet.sport,packet[IP].dst,packet.dport,domain)
                print "URL: http://%s/%s" % (domain,url)
                print "User-Agent: %s" % agent
                print "\n"

            elif "%27%20union" in url or "%27union" in url.lower():
                print "%s --- %s:%s --> %s:%s(%s) >>>注入漏洞"  \
                %(timestamp2time(packet.time),packet[IP].src,packet.sport,packet[IP].dst,packet.dport,domain)
                print "URL: http://%s%s" % (domain,url)
                print "User-Agent: %s" % agent
                print "\n"


sniff(filter="tcp port 80 and src host 192.168.88.3",prn=pack_callback,iface="eth0",count=0)

---

效果截图

2222.png