code_update_option

grayddq · May 11, 2019 · bc33bd8 · bc33bd8
1 parent a39bfc2
commit bc33bd8
Show file tree

Hide file tree

Showing 13 changed files with 137 additions and 87 deletions.
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -145,7 +145,7 @@ def get_process_start_time(pid):
 # 7、风险等级 level 存在风险-可疑
 # 7、建议手工确认步骤 consult
 # 返回：检测项恶意信息数组
-def malice_result(checkname, vulname, file, pid, info, consult, level, mtime='', user=''):
+def malice_result(checkname, vulname, file, pid, info, consult, level, mtime='', user='', programme=''):
     mtime_temp, user_temp = '', ''
     if file:
         mtime_temp, user_temp = get_file_attribute(file)
@@ -154,7 +154,7 @@ def malice_result(checkname, vulname, file, pid, info, consult, level, mtime='',
     if not mtime: mtime = mtime_temp
     if not user: user = user_temp
     malice_info = {u'检测项': checkname, u'风险名称': vulname, u'异常文件': file, u'进程PID': pid, u'异常时间': mtime, u'所属用户': user,
-                   u'异常信息': ' '.join(info.split()), u'手工排查确认': consult, u'风险级别': level}
+                   u'异常信息': ' '.join(info.split()), u'手工排查确认': consult, u'风险级别': level, u'处理方案': programme}
     result_info = get_value('RESULT_INFO')
     result_info.append(malice_info)
     set_value('RESULT_INFO', result_info)

diff --git a/lib/core/data_aggregation.py b/lib/core/data_aggregation.py
@@ -26,59 +26,80 @@ def cmp_datetime(self, a, b):
             return 1
 
     def agregation(self):
+        suggestion = get_value('suggestion')
+        programme = get_value('programme')
+
         say_info, i = u'-' * 30 + u'\n', 1
-        say_info += u'根据系统分析的情况，溯源后的行动轨迹为：\n'
+        say_info += u'根据系统分析的情况，溯源后的攻击行动轨迹为：\n'
+
+        programme_info = u'\n初步处理方案如下：\n'
+
         self.result_infos.sort(cmp=self.cmp_datetime, key=operator.itemgetter(u'异常时间'))
         for result_info in self.result_infos:
             if result_info[u'检测项'] == u'常规后门检测':
-                say_info += u"[%d][%s] 黑客在%s时间，进行了%s植入,%s \n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'风险名称'],
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，进行了%s植入,%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'风险名称'],
+                result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'配置类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，进行了%s变更，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'风险名称'],
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，进行了%s变更，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'风险名称'],
+                result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'文件类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，植入了恶意文件%s，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常文件'],
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，植入了恶意文件%s，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常文件'],
+                result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'主机历史操作类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，进行了恶意操作，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，进行了恶意操作，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'日志类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，进行了主机登陆，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，通过用户%s进行了主机登陆，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'所属用户'],
+                result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'网络链接类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'进程类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，启动进程%s，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'进程PID'], result_info[u'异常信息'],
-                    result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，启动进程%s，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'进程PID'],
+                result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'Rootkit类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，植入Rootkit后门，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，植入Rootkit后门，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'系统初始化检测':
-                say_info += u"[%d][%s] 黑客在%s时间，设置了系统命令别名，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，设置了系统命令别名，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'账户类安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，进行了账户修改设置，%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常信息'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，进行了账户修改设置，%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             if result_info[u'检测项'] == u'Webshell安全检测':
-                say_info += u"[%d][%s] 黑客在%s时间，植入了webshell文件%s\n            排查参考：%s\n" % (
-                    i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
-                    result_info[u'异常文件'], result_info[u'手工排查确认'])
+                say_info += u"[%d][%s] 黑客在%s时间，植入了webshell文件%s\n" % (
+                i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常文件'])
+                if suggestion: say_info = say_info + u"           排查参考：%s\n" % result_info[u'手工排查确认']
+                if programme and result_info[u'处理方案']: programme_info += u"[%d] %s" % (i, result_info[u'处理方案'])
             i += 1
+        if programme:
+            say_info += programme_info
+
         file_write(say_info)
         print(say_info.replace(u'[风险]', u'\033[1;31m[风险]\033[0m').replace(u'[可疑]', u'\033[1;33m[可疑]\033[0m'))
 

diff --git a/lib/core/option.py b/lib/core/option.py
@@ -28,6 +28,8 @@ def main(path):
     group.add_option("--overseas", dest="overseas", default=False, action='store_true', help=u"境外模式，此参数将不进行境外ip的匹配")
     group.add_option("--full", dest="full_scan", default=False, action='store_true', help=u"完全模式，此参数将启用完全扫描")
     group.add_option("--debug", dest="debug", default=False, action='store_true', help=u"调试模式，进行程序的调试数据输出")
+    group.add_option("--sug", dest="suggestion", default=False, action='store_true', help=u"排查建议，用于对异常点的手工排查建议")
+    group.add_option("--pro", dest="programme", default=False, action='store_true', help=u"处理方案，根据异常风险生成初步的处理方案")
     parser.add_option_group(group)
 
     group = optparse.OptionGroup(parser, "Optimization", "Optimization options")
@@ -45,6 +47,10 @@ def main(path):
     set_value('DEBUG', True if options.debug else False)
     # 设置国内ip模式
     set_value('Overseas', True if options.overseas else False)
+    # 设置手工排查建议
+    set_value('suggestion', True if options.suggestion else False)
+    # 设置风险处理方案
+    set_value('programme', True if options.programme else False)
     # 设置扫描模式为完全扫描
     set_value('SCAN_TYPE', 2 if options.full_scan else 1)
     set_value('SYS_PATH', path)