[工具分享]AWD流量日志监控脚本

最近写了一个AWD的流量日志监控脚本，在比赛开始的时候开启监控，如果有命令执行漏洞之类的，就可以跟在大佬屁股后面喝汤了。emmm……

脚本简陋，大佬勿喷。

0x00 脚本功能

• 实时监控流量日志
• 过滤无用日志
• 将匹配到关键词的日志打印在屏幕上

0x01 脚本使用

$ python3 LogMonitor.py
Please set the log path of HTTPserver
Please input the path:         #这里输入日志文件路径，如：/var/log/apache2/access.log

0x02 脚本代码

#coding=utf-8
##Author: 7i4n2h3n9 & EDS
##Team: Polar Day Cyberspace Security LAB

import os
import sys
import re
import pyinotify

# Set Log Path
def setHttpserver():
    print('Please set the log path of HTTPserver')
    logDir = input('Please input the path:')
    if os.path.isfile(logDir):
        return logDir
    else:
        print('File does not exist!')
        print('Exit the program......')
        sys.exit

class EventHandler(pyinotify.ProcessEvent):
    def __init__(self, file_path, *args, **kwargs):
        super(EventHandler, self).__init__(*args, **kwargs)
        self.file_path = file_path
        self._last_position = 0
        logpats = r'((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}'
        self._logpat = re.compile(logpats)

    def process_IN_MODIFY(self, event):
        #print("File changed: " + event.pathname)
        if self._last_position > os.path.getsize(self.file_path):
            self._last_position = 0
        with open(self.file_path) as f:
            f.seek(self._last_position)
            loglines = f.readlines()
            self._last_position = f.tell()
            groups = (self._logpat.search(line.strip()) for line in loglines)
            for g in groups:
                if check_Log(g.string):
                    print(g.string)

def check_Log(strLog):
    if re.search('union|eval|alert|update|insert|into|from|create|delete|drop|truncate|rename|desc|charset|ascii|bin|char|uncompress|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|sub|substring|oct|reverse|right|unhex|prompt|fwrite|curl|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore|whoami|bash|phpinfo|msgbox|select|ord|mid|group|and|flag',strLog,re.I):
        return True
    else:
        return False

def LogMonitor(path):
    wm = pyinotify.WatchManager()
    mask = pyinotify.IN_MODIFY
    handler = EventHandler(path)
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(handler.file_path, mask)

    print('Now Starting Monitor %s' % (path))
    while True:
        try:
            notifier.loop()
        except KeyboardInterrupt:
            notifier.stop()
            break

if __name__ == '__main__' :
    logDir = setHttpserver()
    LogMonitor(logDir)