Difference between revisions of "Perl"
| Line 6: | Line 6: | ||
==LESSON== | ==LESSON== | ||
| + | |||
Perl Regex - Hatter | Perl Regex - Hatter | ||
1.0 - Introduction | 1.0 - Introduction | ||
The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put: | The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put: | ||
| − | #!/bin/bash | + | |
| + | <syntaxhighlight lang="bash">#!/bin/bash</syntaxhighlight> | ||
| + | |||
at the top of your file. In perl, it's typically: | at the top of your file. In perl, it's typically: | ||
| − | #!/usr/bin/perl | + | |
| + | <syntaxhighlight lang="bash">#!/usr/bin/perl</syntaxhighlight> | ||
| + | |||
This should be the first line in any perl you write. You can also use: | This should be the first line in any perl you write. You can also use: | ||
| − | #!env perl | + | |
| + | <syntaxhighlight lang="bash">#!env perl</syntaxhighlight> | ||
| + | |||
If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell. | If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell. | ||
To counter this, your next two lines will be: | To counter this, your next two lines will be: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
use strict; | use strict; | ||
use warnings; | use warnings; | ||
| + | </syntaxhighlight> | ||
| + | |||
Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care. | Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care. | ||
Our script so far should look like: | Our script so far should look like: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
#!/usr/bin/perl | #!/usr/bin/perl | ||
use strict; | use strict; | ||
use warnings; | use warnings; | ||
| + | </syntaxhighlight> | ||
Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone: | Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone: | ||
| − | http://blackhatacademy.org/sample_asterisk.log | + | |
| + | http://blackhatacademy.org/sample_asterisk.log | ||
| + | |||
You will need to save this file. | You will need to save this file. | ||
WINDOWS USERS: | WINDOWS USERS: | ||
| − | You can do everything we're going over by installing CYGWIN with PERL. CYGWIN is available at http://www.cygwin.com/install.html | + | |
| + | You can do everything we're going over by installing CYGWIN with PERL. CYGWIN is available at | ||
| + | |||
| + | http://www.cygwin.com/install.html | ||
TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures. | TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures. | ||
Our perl script is going to do the following : | Our perl script is going to do the following : | ||
| + | |||
1) Analyze an asterisk log | 1) Analyze an asterisk log | ||
2) Determine IP's with auth failures | 2) Determine IP's with auth failures | ||
| Line 51: | Line 71: | ||
You can declare a variable by saying: | You can declare a variable by saying: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my [$%@]varname; | my [$%@]varname; | ||
| + | </syntaxhighlight> | ||
| + | |||
So if its a scalar: | So if its a scalar: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my $scalar; | my $scalar; | ||
| + | </syntaxhighlight> | ||
So : | So : | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my $scalar = 0; | my $scalar = 0; | ||
my $scalar = "foo"; | my $scalar = "foo"; | ||
| + | </syntaxhighlight> | ||
| + | |||
Either is acceptable or just: | Either is acceptable or just: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my $scalar; | my $scalar; | ||
| + | </syntaxhighlight> | ||
Now, for our example, we'll want to analyze each line. So let's look at these failed lines: | Now, for our example, we'll want to analyze each line. So let's look at these failed lines: | ||
| − | [Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found | + | |
| + | [Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found | ||
| + | |||
In this particular instance, we know the ip comes right before the last : in the string. | In this particular instance, we know the ip comes right before the last : in the string. | ||
So to match the ip itself and not the whole line, We'd do something like this: | So to match the ip itself and not the whole line, We'd do something like this: | ||
| − | /\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/ | + | |
| + | /\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/ | ||
| + | |||
Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that. | Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that. | ||
Here comes an in-depth explanation of that line: | Here comes an in-depth explanation of that line: | ||
| + | |||
Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. | Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. | ||
The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string. | The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string. | ||
Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule. | Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule. | ||
| + | |||
It means we've already blocked'em and these were previously analyzed logs | It means we've already blocked'em and these were previously analyzed logs | ||
| Line 78: | Line 118: | ||
You can directly modify the key inside of a hash by doing: | You can directly modify the key inside of a hash by doing: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
$hash{'key'} = 'value'; | $hash{'key'} = 'value'; | ||
| + | </syntaxhighlight> | ||
Also, you can create an key=>value pair by doing: | Also, you can create an key=>value pair by doing: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my %hash = ( 'key' => 'value', 'key2' => 'value2' ); | my %hash = ( 'key' => 'value', 'key2' => 'value2' ); | ||
| + | </syntaxhighlight> | ||
You can copy the hash tree to another hash by doing: | You can copy the hash tree to another hash by doing: | ||
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
my %hash2 = %hash; | my %hash2 = %hash; | ||
| + | </syntaxhighlight> | ||
| − | If you want to print out a tree of the hashes, you can use while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; }; | + | If you want to print out a tree of the hashes, you can use: |
| + | |||
| + | <syntaxhighlight lang="perl"> | ||
| + | while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; }; | ||
| + | </syntaxhighlight> | ||
Resulting Log: | Resulting Log: | ||
| − | phobos public_html # perl test.pl | + | |
| − | 113.105.152.180:10001 | + | phobos public_html # perl test.pl |
| − | 220.134.238.64:2194 | + | 113.105.152.180:10001 |
| − | 67.205.85.58:7789 | + | 220.134.238.64:2194 |
| − | 80.254.76.242:4 | + | 67.205.85.58:7789 |
| + | 80.254.76.242:4 | ||
So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server) | So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server) | ||
That'll add a blackholed IP route if | That'll add a blackholed IP route if | ||
| + | |||
1) They are over $threshhold failures (25) | 1) They are over $threshhold failures (25) | ||
2) They are not already blackholed | 2) They are not already blackholed | ||
Revision as of 02:43, 7 September 2011
Practical Extraction and Report Language
Perl is the oldest interpreted language. More to come.
LESSON
Perl Regex - Hatter
1.0 - Introduction The shebang declares the location of the code's interpreter. I.e. if you're writing bash, you'll need to put:
<syntaxhighlight lang="bash">#!/bin/bash</syntaxhighlight>
at the top of your file. In perl, it's typically:
<syntaxhighlight lang="bash">#!/usr/bin/perl</syntaxhighlight>
This should be the first line in any perl you write. You can also use:
<syntaxhighlight lang="bash">#!env perl</syntaxhighlight>
If you are unsure of the path and you have it in your environment variables. With perl in particular, its real easy to get it ugly as hell.
To counter this, your next two lines will be:
<syntaxhighlight lang="perl"> use strict; use warnings; </syntaxhighlight>
Strict perl forces you to maintain some semblence of syntax. Without the strict usage, you can basically run amok with code, perl does not care.
Our script so far should look like:
<syntaxhighlight lang="perl">
- !/usr/bin/perl
use strict; use warnings; </syntaxhighlight>
Now, thanks to mepholic, I've removed sensitive data from this log and made it available for everyone:
http://blackhatacademy.org/sample_asterisk.log
You will need to save this file.
WINDOWS USERS:
You can do everything we're going over by installing CYGWIN with PERL. CYGWIN is available at
http://www.cygwin.com/install.html
TODAY we'll be writing a regex to read asterisk logs to determine ip's with authentication failures.
Our perl script is going to do the following :
1) Analyze an asterisk log 2) Determine IP's with auth failures 3) Determine number of auth failures per IP 4) Block IP's going over a configurable threshhold
To participate in this lesson, please download and install perl and a text editor of your choice.
You've got a few different data types in perl and its different than other languages. You have scalars (ints or strings) prefixed with $ You have arrays/lists prefixed with @ You have hashes (similar to a struct/associative array) prefixed with % You have references prefixed with a \
You can declare a variable by saying:
<syntaxhighlight lang="perl"> my [$%@]varname; </syntaxhighlight>
So if its a scalar:
<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>
So :
<syntaxhighlight lang="perl"> my $scalar = 0; my $scalar = "foo"; </syntaxhighlight>
Either is acceptable or just:
<syntaxhighlight lang="perl"> my $scalar; </syntaxhighlight>
Now, for our example, we'll want to analyze each line. So let's look at these failed lines:
[Aug 27 07:34:43] NOTICE[2762] chan_sip.c: Registration from '"1561"<sip:[email protected]>' failed for '113.105.152.180:40586' - No matching peer found
In this particular instance, we know the ip comes right before the last : in the string. So to match the ip itself and not the whole line, We'd do something like this:
/\x27([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}):[^:]+$/
Where \x27 is a single quote. Obviously, this won't work for failed auths because it will match shit that isn't a failed auth. It'll also match successes or any line with an ip like that.
Here comes an in-depth explanation of that line:
Single quote, any digit between one and 3 characters in length, a dot, so on and so forth (match an IP), until the last : in the string, and it has to be right before the last : in the string. The [^:]+ at the end makes it so if a : occurs after that, it will no longer match as [^:]+ matches everything until the end of the string.
Now we've got to make it match failures too, the only real important data we care about is the ip, the count of failed auths and whether or not they're already in iptables for block because if they are we don't want to add another rule.
It means we've already blocked'em and these were previously analyzed logs
We'll use a hash to hold our ip's with failed auth and the value of each $hash{$ip} will contain the count of the failures. %hash is how it is declared and referred to but when you refer to a key of the hash, you want to put $ since its a scalar value you're accessing inside the hash.
You can directly modify the key inside of a hash by doing:
<syntaxhighlight lang="perl"> $hash{'key'} = 'value'; </syntaxhighlight>
Also, you can create an key=>value pair by doing:
<syntaxhighlight lang="perl"> my %hash = ( 'key' => 'value', 'key2' => 'value2' ); </syntaxhighlight>
You can copy the hash tree to another hash by doing:
<syntaxhighlight lang="perl"> my %hash2 = %hash; </syntaxhighlight>
If you want to print out a tree of the hashes, you can use:
<syntaxhighlight lang="perl"> while(my($key,$value) = each(%hash)) { print "Key: $key, Value: $value\n"; }; </syntaxhighlight>
Resulting Log:
phobos public_html # perl test.pl 113.105.152.180:10001 220.134.238.64:2194 67.205.85.58:7789 80.254.76.242:4
So, http://blackhatacademy.org/test.pl.txt, will spit out your ip's and number of failures. This data is then used to blackhole IP's (preventing them from affecting the server)
That'll add a blackholed IP route if
1) They are over $threshhold failures (25) 2) They are not already blackholed
