-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathread_snort_alert.py
55 lines (43 loc) · 1.38 KB
/
read_snort_alert.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import subprocess
import re
import requests
def abuseipdb(ip: str, days: int):
headers = {
'Key': api_key,
'Accept': 'application/json',
}
params = {
'maxAgeInDays': days,
'ipAddress': ip,
'verbose': ''
}
r = requests.get('https://api.abuseipdb.com/api/v2/check', headers=headers, params=params)
response = r.json()
print(response)
if response['data']['abuseConfidenceScore'] > 50:
print(f'ip: {ip} is malicious')
else:
print(f'ip: {ip} is clean')
f = subprocess.Popen(['tail','-f','/var/log/snort/alert'], stdout=subprocess.PIPE,stderr=subprocess.PIPE)
follow = 0
while True:
line = f.stdout.readline()
line = line.decode()
if line == '\n':
follow = 0
if line.startswith('[**]') and line.endswith('[**]\n'):
title = line
print(f'found title: {title.strip()}')
if 'ICMP test' in title:
follow = 1
if follow:
found_ip = re.findall(r'((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))', line)
follow += 1
if found_ip:
print(f'found_ip: {found_ip}\n')
follow = 0
abuseipdb(found_ip[1], 30)
break
if follow > 10:
print(f'fatal error!')
break