西门子私有通信协议是S7COMM
,题目要求分析出日志中针对西门子私有通信协议扫描最多的IP,分析日志文件发现针对S7COMM
的扫描日志记录都带有s7
字样。
所以只需要统计下带有s7
字样的每一行中每个记录IP的次数,Pyhotn简单处理下即可
from re import *
with open('honeypot.log', 'r') as f:
mydict, iplist = {}, []
lines = f.readlines()
for line in lines:
if 's7' in line.lower():
iplist += findall(r'[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}', line)
else:
pass
for ip in iplist:
mydict[ip] = mydict.get(ip, 0) + 1
res = sorted(mydict.items(), key=lambda item: item[1], reverse=True)
num = 0
for data in res:
num += 1
print('{0}: {1}'.format(num, data))
得到扫描次数最多的IP
139.162.99.243
IP反查一下域名即可:https://www.ipip.net/ip.html
得到flag
flag{scan-42.security.ipip.net}