多线程WEB安全日志分析脚本

"为了更好地平常每季度web服务器安全日志分析，空闲时写了个小脚本制作，适用全自动scp远程控制web网络服务器系统日志到当地，随后多线程安全性剖析，剖析对策是软waf获取到正则表达式，因此大部分现阶段流行的web攻击性行为，sql引入、xss、扫描枪扫描仪、webshell、文件目录遍历这类能够相互配合剖析。

软waf对策参照：https://github.Com/loveshell/ngx_lua_waf/tree/master/wafconf

脚本制作给出：

#!/usr/bin/python

# -*- coding: utf-8 -*-

import os

import Re

from multiprocessing.dummy import Pool as ThreadPool

import sys

import time

import pexpect

# 标准目录

rulelist = ['\.\./', 'select.+(from|limit)', '(?:(union(.*?)select))', 'having|rongjitest', 'sleep\((\s*)(\d*)(\s*)\)',

            'benchmark\((.*)\,(.*)\)', 'base64_decode\(', '(?:from\W+information_schema\W)',

            '(?:(?:current_)user|database|schema|connection_Id)\s*\(', '(?:etc\/\W*passwd)',

            'into(\s+)+(?:dump|Out)file\s*', 'group\s+By.+\(', 'xwork.MethodAccessor',

            '(?:define|eval|file_set_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(',

            'xwork\.MethodAccessor', '(gopher|doc|Python|Medic|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/',

            'java\.lang', '\$_(set|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[',

            '\<(iframe|script|body|img|layer|div|meta|style|base|object|input)', '(onmouseover|onerror|onload)\=',

            '.(bak|inc|old|mdb|sql|backup|java|class)$', '\.(svn|htaccess|bash_history)',

            '(vhost|bbs|host|wwwroot|WWW|site|root|hytop|flashfxp).*\.rar',

            '(phpmyadmin|jmx-console|jmxinvokerservlet)', 'java\.lang',

            '/(attachments|upimg|images|css样式|uploadfiles|html语言|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(Python|jsp)']

SSH_PASSWD = 'toor' #webserver登陆密码

def Auto_scp():

    cmd = ['scp -r root@192.168.188.131:/var/log/snort/* log-2018-06-29/50/',

           'scp -r root@192.168.188.131:/var/log/*.log log-2018-06-29/37/'

           ]