![[纵横网络靶场社区]工控蜜罐日志分析_工控CTF](https://s2.51cto.com/images/blog/202306/19154457_64900779bc61762438.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![[纵横网络靶场社区]工控蜜罐日志分析_IP_02](https://s2.51cto.com/images/blog/202306/19154457_64900779de65621090.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
西门子私有通信协议是S7COMM,题目要求分析出日志中针对西门子私有通信协议扫描最多的IP,分析日志文件发现针对S7COMM的扫描日志记录都带有s7字样。
![[纵横网络靶场社区]工控蜜罐日志分析_S7COMM日志分析_03](https://s2.51cto.com/images/blog/202306/19154458_6490077a1d32c93322.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
所以只需要统计下带有s7字样的每一行中每个记录IP的次数,Pyhotn简单处理下即可
from re import *
with open('honeypot.log', 'r') as f:
mydict, iplist = {}, []
lines = f.readlines()
for line in lines:
if 's7' in line.lower():
iplist += findall(r'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}', line)
else:
pass
for ip in iplist:
mydict[ip] = mydict.get(ip, 0) + 1
res = sorted(mydict.items(), key=lambda item: item[1], reverse=True)
num = 0
for data in res:
num += 1
print('{0}: {1}'.format(num, data))![[纵横网络靶场社区]工控蜜罐日志分析_S7COMM日志分析_04](https://s2.51cto.com/images/blog/202306/19154458_6490077a5fd0e26401.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
得到扫描次数最多的IP
139.162.99.243IP反查一下域名即可:https://www.ipip.net/ip.html
![[纵横网络靶场社区]工控蜜罐日志分析_工控CTF_05](https://s2.51cto.com/images/blog/202306/19154458_6490077a7b19630896.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
得到flag
flag{scan-42.security.ipip.net}
