[root@SYSDRA-10-254-xxx-xxx-cetnos ~]# cat /data/sysdra/apps/sysdra001/dra0002wwwLogCountPer10Min.sh
#!/bin/bash


######config zone###

LogFile="/data/logs/www-weblog/access_nginx.log"
DRAHome="/data/sysdra/vhost/default/sysdra"
DRATitle="dra0002wwwLogCountPer10Min"
delaytime="-10 minute"

##
DatePath=$(date -d "${delaytime}" +"%F")
DATATIME=$(date -d "${delaytime}" +"%Y%m%d%H%M")
FILE_NAME_DATATIME=${DRATitle}-${DATATIME:0:11}0.txt
FilterTag=$(date -d "${delaytime}" +"%d/%b/%Y:%H:%M")
FilterTag001=${FilterTag:0:16}

ResultPath=${DRAHome}/${DRATitle}/${DatePath}/
ResultFile=${ResultPath}/${FILE_NAME_DATATIME}
OtherLogFile="${ResultPath}OtherLog/${DRATitle}_${FILE_NAME_DATATIME}"
echo $ResultFile
echo $FilterTag001
# 判断 ResultPath 是否存在
if [ ! -d "${ResultPath}" ]; then
  mkdir -p "${ResultPath}"
fi

# 判断 ResultPath 是否存在
if [ ! -d "${ResultPath}/OtherLog" ]; then

  mkdir -p "${ResultPath}/OtherLog"

fi


echo "================${FILE_NAME_DATATIME}==============="  >${ResultFile}

#计算部分
hitcount=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'  '{print $1}' |wc -l)
PV=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $10}' |grep -v ".jpg\|.gif\|\.css\|.js\|.xml\|.swf\|.png\|.ico" |wc -l)
#UV=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $16}' |sort | uniq |wc -l)
IP=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $15}' |sort | uniq |wc -l)
AuthenticationUsers=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $18}' |sort | uniq |wc -l)
#VV=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $17}' |sort | uniq |wc -l)
IPHIT106_120_69_243=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print $15}' |grep "106.120.69.243"   |wc -l)
IPHIT101_251_213_153=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print $15}' |grep "101.251.213.153" |wc -l)
Baidu_YunGuanCe=$(cat ${LogFile} |  grep ${FilterTag001} |grep "Baidu-YunGuanCe-ScanBot(ce.baidu.com)" |wc -l)
LoginPageRequst=$(cat ${LogFile} |  grep ${FilterTag001} |grep www.aiwaly.com | grep /Login/getLoginInfo |wc -l)
DmsLoginPageRequst=$(cat ${LogFile} |  grep ${FilterTag001} |grep dms.aiwaly.com | grep /cas/login?service |wc -l)

#cb_site_id=$(cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'   '{print $21}' |sort | uniq |wc -l)

echo "HIT:${hitcount}   //HIT网站点击次数"   >> ${ResultFile}
echo "PV:${PV}   //PV(访问量)"   >> ${ResultFile}
#echo "VV:${VV}   //VV(访问次数)"   >> ${ResultFile}
#echo "UV:${UV}   //UV(独立访客)"   >> ${ResultFile}
echo "IP:${IP}   //IP(独立IP)"   >> ${ResultFile}
echo "IPHIT-106.120.69.243=${IPHIT106_120_XXX_XXX}   //来自AIWALY办公室用户请求数量"   >> ${ResultFile}
echo "IPHIT-101.251.213.153=${IPHIT101_251_XXX_XXX} //来自AIWALY办公室服务器请求数量"   >> ${ResultFile}
echo "AuthenticationUsers:${AuthenticationUsers}   //登录用户数"   >> ${ResultFile}
echo "Baidu_YunGuanCe=${Baidu_YunGuanCe}  //百度云测试请求数" >> ${ResultFile}
echo "LoginPageRequst=${LoginPageRequst}  //登录页请求" >>  ${ResultFile}
echo "DmsLoginPageRequst=${DmsLoginPageRequst}  //dms登录页请求" >>  ${ResultFile}
echo "#==可疑top 10 ip =="  >> ${ResultFile}
echo "    num ip_address"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} |grep -v 'Baidu-YunGuanCe-ScanBot\|180.97.106.\|106.120.69.243\|101.251.213.153\|119.254.85.35\|121.41.175.135\|^sstatic.aiwalyimg.com\|^s3.aiwalyimg.com\|^s2.aiwalyimg.com\|^s1.aiwalyimg.com\|^s0.aiwalyimg.com\|^i1.aiwalyimg.com\|^static.aiwalyimg.com\|^i3.aiwalyimg.com\|^i2.aiwalyimg.com\|^i0.aiwalyimg.com'| awk -F '|'  '{print $15}' |grep -v "10.254.\|172.16.\|-" | sort | uniq -c | sort -rn | head -n 10  >> ${ResultFile}
echo ""   >> ${ResultFile}


echo "#============ top 20 ip ========================"  >> ${ResultFile}
echo "    num ip_address"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'  '{print $15}' |grep -v "10.254.\|172.16.\|-"  | sort | uniq -c | sort -rn | head -n 20  >> ${ResultFile}
echo ""   >> ${ResultFile}


echo "#============域名访问排名 ========================"  >> ${ResultFile}
echo "    num  domain"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'  '{print $1}' | sort | uniq -c | sort -rn | head -n 20  >> ${ResultFile}
echo ""   >> ${ResultFile}


echo "#============ top 20 url ======================="   >> ${ResultFile}
echo "    num url"    >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print $10}' | sort | uniq -c | sort -rn | head -n 20   >> ${ResultFile}



echo "#============request status页面请求状态======="   >> ${ResultFile}
echo "    num status"   >> ${ResultFile}
cat  ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print $11}' | sort | uniq -c | sort -rn |head -n 20   >> ${ResultFile}



echo "#============404 错误页面 url top 20======="   >> ${ResultFile}
echo "    num status url"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print "status"$11" "$10}' |grep "status404 "| sort | uniq -c | sort -rn |head -n 20   >> ${ResultFile}



echo "#============503错误 ip top 20(用于分析被FLB防抓站拒绝的ip情况)======="   >> ${ResultFile}
echo "    num status ip"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print "status"$11" "$15}' |grep "status503 " | sort | uniq -c | sort -rn |head -n 20   >> ${ResultFile}


echo "#============QPS(每秒QPS最高时间排序)======="   >> ${ResultFile}
echo "    num status"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|' '{print $8}' |awk  '{print $1}' |awk -F ":"  '{print ($2":"$3":"$4)}'| sort | uniq -c | sort -rn |head -n 20   >> ${ResultFile}


echo "#============User-Agent(浏览器信息)======="   >> ${ResultFile}
echo "    num User-Agent"   >> ${ResultFile}
cat ${LogFile} |  grep ${FilterTag001} | awk -F '|'  '{print $14}' | sort | uniq -c | sort -rn | head -n 20  >> ${ResultFile}



echo "#============TopIPTrac(访问次数最多者访问轨迹,已排除106.120.xxx.xxx|101.251.xxx.xxx)======="   >> ${ResultFile}
Topip=`cat ${LogFile} |  grep ${FilterTag001} | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 5 | awk   '{print $2}' `
Topip_ar=($Topip) 
declare -p Topip_ar

#echo $Topip >> ${ResultFile}



for Ipvar in ${Topip} 
do
    #ResultFileE=${OtherLogFile//\/data\/sysdra\/vhost\/default/http:\/\/sysdra.prod.aiwaly.com}
    #ResultFileE=${ResultFileE//\.txt/}
    #echo ${ResultFileE}    
    OtherLogFileE2=${OtherLogFile/\.txt/}
    ResultFileE=${OtherLogFileE2/\/data\/sysdra\/vhost\/default/http:\/\/sysdra.prod.aiwaly.com} 
    echo ${Ipvar} 详细信息-请访问 ${ResultFileE}_${Ipvar}.txt >> ${ResultFile}
    cat ${LogFile} | grep ${FilterTag001}| grep "|${Ipvar}|"  >> ${OtherLogFileE2}_${Ipvar}.txt
done







#===================================================================
#通知报警区


WeiXinNotify()
{
touser="wangpenga|liupeiyang|renzhonglu"
#touser="wangpenga"
Weixinmessage=$1
/usr/bin/curl  "http://weixinnotify.prod.aiwaly.com/WeiXinApi/CbWeiXinNotifySendApi.php?touser=${touser}" -d "message=$Weixinmessage"
}


AddBlackList()
{
#调用接口将ip加入黑名单

echo  "http://sysdra.prod.aiwaly.com/ops01/index.php?s=/Blacklist/Ips/commitip/ipaddr/$1/note/api自动添加:$2/"
/usr/bin/curl -I "http://sysdra.prod.aiwaly.com/ops01/index.php?s=/Blacklist/Ips/commitip/ipaddr/$1/note/sysdralog-$2/" 
}

#报警函数v2

testuser="wangpenga"
opuser="wangpenga|liupeiyang|zhangxiaojie|laizhide|renzhonglu"
WeiXinNotify_v2()
{
touser=$1
Weixinmessage=$2
/usr/bin/curl  "http://weixinnotify.prod.aiwaly.com/WeiXinApi/CbWeiXinNotifySendApi.php?touser=${touser}" -d "message=$Weixinmessage"
}
#   WeiXinNotify_v2  ${opuser} "message"





#百度观测报警
#Baidu_YunGuanCe=100000
BaiduYunGuanCeAlarmValue=10000
if   [ ${Baidu_YunGuanCe}  -gt ${BaiduYunGuanCeAlarmValue} ]   ; then
   WeiXinNotify "时间$(date +%F\ %R:%S)%0A百度云观测10分钟内访问数量=${Baidu_YunGuanCe}次请知悉,超过10000次报警阀值"
fi

#独立ip超过1万次报警
WarningIP=` cat ${LogFile} |  grep ${FilterTag001} |grep -v 'Baidu-YunGuanCe-ScanBot\|180.97.106.\|106.120.69.243\|101.251.213.153\|^sstatic.aiwalyimg.com\|^s3.aiwalyimg.com\|^s2.aiwalyimg.com\|^s1.aiwalyimg.com\|^s0.aiwalyimg.com\|^i1.aiwalyimg.com\|^static.aiwalyimg.com\|^i3.aiwalyimg.com\|^i2.aiwalyimg.com\|^i0.aiwalyimg.com'| awk -F '|'  '{print $15}'|grep -v "10.254.\|172.16.\|-" | sort | uniq -c | sort -rn | head -n 1 `
WarningIPtop=`echo ${WarningIP} |awk  '{print $2}'`
WarningIPtopnum=`echo ${WarningIP} |awk  '{print $1}'`
WarningIPAlarmValue=10000
if   [ ${WarningIPtopnum}  -gt ${WarningIPAlarmValue} ]   ; then
   WeiXinNotify "时间$(date +%F\ %R:%S)%0A可疑ip通报${WarningIPtop}在10分钟内访问数量=${WarningIPtopnum}次请知悉,超过10000次报警阀值, 详细信息-请访问 ${ResultFileE}_${WarningIPtop}.txt"
   AddBlackList "${WarningIPtop}" "独立ip超过1万次报警"
fi

#登录页请求10分钟内超过5000次
#LoginPageRequst=5000
LoginPageRequstAlarmValue=5000
if   [ ${LoginPageRequst}  -gt ${LoginPageRequstAlarmValue} ]   ; then
   WeiXinNotify "时间$(date +%F\ %R:%S)%0A登录页请求10分钟内访问数量=${LoginPageRequst}次请知悉,超过10分钟内超过5000次报警阀值,详细信息-请访问 ${ResultFileE}_${WarningIPtop}.txt"
fi

#dmsapi登录页请求10分钟内超过5000次
#DmsLoginPageRequst=5000
DmsLoginPageRequstAlarmValue=5000
if   [ ${DmsLoginPageRequst}  -gt ${DmsLoginPageRequstAlarmValue} ]   ; then
   WeiXinNotify "时间$(date +%F\ %R:%S)%0ADms登录页请求10分钟内访问数量=${DmsLoginPageRequst}次请知悉,超过10分钟内超过5000次报警阀值,详细信息-请访问 ${ResultFileE}_${WarningIPtop}.txt"
fi




##########waf 防火墙设置区


#防止SQL注入规则
WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep -v 'Baidu-YunGuanCe-ScanBot\|^sstatic.aiwalyimg.com\|^s3.aiwalyimg.com\|^s2.aiwalyimg.com\|^s1.aiwalyimg.com\|^s0.aiwalyimg.com\|^i1.aiwalyimg.com\|^static.aiwalyimg.com\|^i3.aiwalyimg.com\|^i2.aiwalyimg.com\|^i0.aiwalyimg.com'| grep -i "%20union\|%20insert\|%20drop\|%20truncate\|%20update\|%20from\|%20grant\|%20exec\|%20where\|%20select" | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 1 `
#获取IP
WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
#获取数量
WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
#判断如果空设置为零防止出错
if [ ! ${WAF_SQL_WarningIPNum} ]; then
  WAF_SQL_WarningIPNum=0
  WAF_SQL_WarningIPtop=0
fi
#显示采集结果
echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"

#WAF_SQL_WarningIPNum=400
WAF_SQL_WarningIPNumAlarmValue=200
if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
   WeiXinNotify_v2  "${opuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} sql注入特征 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10分钟内超过200次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop}匹配sql注入特征${WAF_SQL_WarningIPNum}次"
   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"  >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
fi





sendSmsuser="yangxianfang"
#sendSmsuser="wangpenga|liupeiyang| n"

#WAF_SQL_WarningIP=""
#WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep www.aiwaly.com| grep /login/sendSms  | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 1 `
##获取IP
#WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
##获取数量
#WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
##判断如果空设置为零防止出错
#if [ ! ${WAF_SQL_WarningIPNum} ]; then
#  WAF_SQL_WarningIPNum=0
#  WAF_SQL_WarningIPtop=0
#fi
##显示采集结果
#echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"
#
##WAF_SQL_WarningIPNum=400
#WAF_SQL_WarningIPNumAlarmValue=50
#if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
#   WeiXinNotify_v2  "${sendSmsuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/sendSms 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10分钟内超过${WAF_SQL_WarningIPNumAlarmValue}次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
#   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/sendSms ${WAF_SQL_WarningIPNum}次"
#   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"   >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
#fi



WAF_SQL_WarningIP=""
WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep www.aiwaly.com| grep /login/sendSmsNow  | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 1 `
#获取IP
WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
#获取数量
WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
#判断如果空设置为零防止出错
if [ ! ${WAF_SQL_WarningIPNum} ]; then
  WAF_SQL_WarningIPNum=0
  WAF_SQL_WarningIPtop=0
fi
#显示采集结果
echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"

#WAF_SQL_WarningIPNum=400
WAF_SQL_WarningIPNumAlarmValue=50
if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
   WeiXinNotify_v2  "${sendSmsuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/sendSmsNow 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10分钟内超过${WAF_SQL_WarningIPNumAlarmValue}次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/sendSmsNow ${WAF_SQL_WarningIPNum}次"
   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"   >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
fi



WAF_SQL_WarningIP=""
WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep api.aiwaly.com| grep /Sms/Send  | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.xxx.xxx\|101.251.xxx.xxx' | sort | uniq -c | sort -rn | head -n 1 `
#获取IP
WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
#获取数量
WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
#判断如果空设置为零防止出错
if [ ! ${WAF_SQL_WarningIPNum} ]; then
  WAF_SQL_WarningIPNum=0
  WAF_SQL_WarningIPtop=0
fi
#显示采集结果
echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"

#WAF_SQL_WarningIPNum=400
WAF_SQL_WarningIPNumAlarmValue=50
if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
   WeiXinNotify_v2  "${sendSmsuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} 恶意访问 验证码接口api.aiway.com/Sms/Send 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10分钟内超过${WAF_SQL_WarningIPNumAlarmValue}次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop} 恶意访问 验证码接口api.aiway.com/Sms/Send ${WAF_SQL_WarningIPNum}次"
   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"   >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
fi



WAF_SQL_WarningIP=""
WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep www.aiwaly.com| grep /login/sendSms  | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 1 `
#获取IP
WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
#获取数量
WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
#判断如果空设置为零防止出错
if [ ! ${WAF_SQL_WarningIPNum} ]; then
  WAF_SQL_WarningIPNum=0
  WAF_SQL_WarningIPtop=0
fi
#显示采集结果
echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"

#WAF_SQL_WarningIPNum=400
WAF_SQL_WarningIPNumAlarmValue=50
if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
   WeiXinNotify_v2  "${sendSmsuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/Send 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10分钟内超过${WAF_SQL_WarningIPNumAlarmValue}次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop} 恶意访问 验证码接口www.aiway.com/login/sendSms ${WAF_SQL_WarningIPNum}>次"
   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"   >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
fi


sendSmsuser="yangxianfang|wangpenga"
#恶意访问 接口api.aiway.com/Member/index
WAF_SQL_WarningIP=""
WAF_SQL_WarningIP=`cat ${LogFile} |  grep ${FilterTag001} |grep api.aiwaly.com| grep /Member/index  | awk  -F "|" '{print $15}' |grep -v "10.254.\|172.16.\|-" |grep -v '180.97.106.\|106.120.69.243\|101.251.213.153' | sort | uniq -c | sort -rn | head -n 1 `
#获取IP
WAF_SQL_WarningIPtop=`echo ${WAF_SQL_WarningIP} |awk  '{print $2}'`
#获取数量
WAF_SQL_WarningIPNum=`echo ${WAF_SQL_WarningIP} |awk  '{print $1}'`
#判断如果空设置为零防止出错
if [ ! ${WAF_SQL_WarningIPNum} ]; then
  WAF_SQL_WarningIPNum=0
  WAF_SQL_WarningIPtop=0
fi
#显示采集结果
echo "IP=${WAF_SQL_WarningIPtop}  WAF_SQL_WarningIPNum=${WAF_SQL_WarningIPNum}"

#WAF_SQL_WarningIPNum=400
WAF_SQL_WarningIPNumAlarmValue=50
if   [ ${WAF_SQL_WarningIPNum}  -gt ${WAF_SQL_WarningIPNumAlarmValue} ]   ; then
   WeiXinNotify_v2  "${sendSmsuser}"   "时间$(date +%F\ %R:%S)%0Aip ${WAF_SQL_WarningIPtop} 恶意访问 接口api.aiway.com/Member/index 10分钟内数量=${WAF_SQL_WarningIPNum}次请知悉,超过10>分钟内超过${WAF_SQL_WarningIPNumAlarmValue}次报警阀值,详细信息-请访问 ${ResultFileE}_${WAF_SQL_WarningIPtop}.txt"
   AddBlackList "${WAF_SQL_WarningIPtop}" "${WAF_SQL_WarningIPtop} 恶意访问  接口api.aiway.com/Member/index ${WAF_SQL_WarningIPNum}>次"
   cat ${LogFile} | grep ${FilterTag001}| grep "|${WAF_SQL_WarningIPtop}|"   >> ${OtherLogFileE2}_${WAF_SQL_WarningIPtop}.txt
fi

[root@SYSDRA-10-254-64-216-cetnos ~]# 
文档更新时间: 2019-06-20 09:22   作者:月影鹏鹏