最近在当监控小子,每天就是查查ip封封ip,虽然不累但是异常枯燥,而且每天的日报整理起来也非常麻烦,于是利用微步的api接口,编写了批量查询和统计的脚本,再也不怕日报整理麻烦了。
直接从waf生成当天的告警记录的表格,利用python的csv模块进行文件读取,将ip过滤去重之后进行api请求,最后直接统计告警类型和危害程度高的ip
具体代码如下,纯原创
import csv
import requests
import time
from collections import Counter
# 文件路径
path = '文件路径'
# api
url = "https://api.threatbook.cn/v3/scene/ip_reputation"
# key
key = "自己的apikey"
context_list=[]
# 字典列表去重
def remove_duplicate_dicts(input_list):
unique_list = []
seen_dicts = set()
for dictionary in input_list:
dictionary_tuple = tuple(sorted(dictionary.items()))
if dictionary_tuple not in seen_dicts:
seen_dicts.add(dictionary_tuple)
unique_list.append(dictionary)
return unique_list
# 读取文件中的ip和安全类型
def ip_list():
ListForIp = []
# 文件读取,path是文件路径
with open(path, 'r') as file:
reader = csv.reader(file)
# 遍历每行数据
#需要修改表格中ip的列数,row[?]
for row in reader:
# 去表头
if row[2] == "安全类型" or row[4] == "源IP":
continue
# 生成一个字典,其格式为{"type","攻击类型","ip","x.x.x.x"}
dirt = {"type": row[2].replace(" ", ""), "ip": row[4].replace(" ", "")}
# 将字典存储到列表中
ListForIp.append(dirt)
# 去重
#ListForIp = remove_duplicate_dicts(ListForIp)
# 因为微步限制,所以限制列表内超过50个数据
if len(ListForIp) > 50:
print(ListForIp)
print("ip数量超过50")
# return False
# ListForIp = ListForIp[:20]
# print(ListForIp)
else:
return ListForIp
# 攻击统计
def Type_statistics(ip):
type_list = []
try:
print("流量ip统计")
for item in ip:
type_list.append(item["type"])
counter = Counter(type_list)
for element, count in counter.items():
print(f"{element}出现了 {count} 次", end=",")
except:
print("Type_statistics模块异常")
# api访问
def API(Ip):
Ip = remove_duplicate_dicts(Ip)
try:
for item in Ip:
response = requests.request("GET", url, params={
"apikey": key,
"resource":item["ip"],
"lang": "zh"
})
# 每一次访问后休息0.5秒
time.sleep(0.5)
# 如果response_code=0则返回正确数据
if response.json()["response_code"] == 0:
# 提取响应中的安全等级
severity_value = response.json()["data"][item["ip"]]["severity"]
if severity_value in ["中", "高", "严重"]:
print(item["type"]+":"+item["ip"] + ":" + severity_value)
context=item["type"]+":"+item["ip"] + ":" + severity_value
context_list.append(context)
else:
# 否则
print(item["ip"])
print(response.json())
break
return context_list
except:
# 抛出异常
pass
# 封禁ip类型统计
def context_sum(data):
type_counter = Counter()
result_list = []
for entry in data:
parts = entry.split(':')
attack_type = parts[0]
type_counter[attack_type] += 1
for attack_type, count in type_counter.items():
result_list.append(f"{attack_type} 类型出现了 {count} 次")
print("封禁ip统计")
print(result_list)
if __name__ == '__main__':
ip_list=ip_list()
context_list=API(ip_list)
context_sum(context_list)
Type_statistics(ip_list)