DDOS perl脚本

Question

我试图编写一个脚本，使用tcpdump在openbsd以下监视防火墙日志。 我的目标是genereate警报如果一个源IP地址等于埃夫tcpdump的输出线[线重复]，例如：

rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 1, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 2, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 3, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 4, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 5, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 6, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 7, length 64 
rule 30/0(match): block in on pppoe0: SRCIP:(88.198.46.51) -> DESTIP:(109.226.27.19): ICMP echo request, id 1070, seq 8, length 64 

IP 88.198.46.51试图DoS攻击。 到目前为止我的代码：

open(SNIFF, "/usr/sbin/tcpdump -s 1024 -enlti pflog0 |"); 
while(<SNIFF>){ 
     $|++; 
     $_ =~ /(\d+.\d+.\d+.\d+)(.)(\d{2,5}) (>) (\d+\.\d+\.\d+\.\d+)(.)(\d{2,5})/; 
     my ($sip, $port) = ($1, $7); 
     my $bad_ip = $sip; 
     if($bad_ip eq $p_ip){ 
      $count++; 
      if($count >= 8 && $print){ 
       print "Attack Detected: $sip\n"; 
          system("echo $sip"); 
          #system("/sbin/pfctl -f /etc/pf.conf"); 
          $print = 0; 
      } 

Answer 1

在你的样品输入，我没有看到你的正则表达式的第一部分相匹配的单行：

/(\d+\.\d+\.\d+\.\d+)(\.)(\d{2,5})/ 

（请注意，我预计，如果你正在寻找一个点分十进制，你真的想要\d+\.不只是\d+.。）

你可以匹配你的输入(\d+\.\d+\.\d+\.\d+)，但其余的不会匹配。这是你的问题。