目的:将公司所有域名进行指纹识别,进行可视化显示,便于及时掌握应用系统基础数据,利于及时发现风险。后期会考虑与其它系统进行整合
#!/bin/env bash
:>./run_status.log
today=$(date +%Y%m%d)
echo "获取当前时间成功" + $today >> ./run_status.log
if [ $? == 0 ]; then
echo "创建当天文件夹成功...开始执行扫描......" >> ./run_status.log
fi
docker run --tty --interactive -v /root/whatweb_log:/tmp -v /root/whatweb_log/log:/mnt --rm guidelacour/whatweb ./whatweb -a 3 --no-errors --log-json=/mnt/${today}.json --input-file=/tmp/domain.txt
if [ $? == 0 ]; then
echo "扫描任务结束" >> ./run_status.log
fi
简单起见,使用了docker版whatweb,同时挂载本地目录,把扫描结果存在该目录
0 8 * * * /usr/bin/bash /root/whatweb_log/whatwebscan.sh
whatweb配置完毕,生成的扫描结果需要转至日志中心splunk中进行分析显示,使用splunk forwarder来做搬运工
3.1.登陆splunk官网下载splunk forwarder
3.2.安装splunk forwarder
# rpm -ivh splunkforwarder-7.3.0-657388c7a488-linux-2.6-x86_64.rpm
3.3.forwarder配置
/opt/splunkforwarder/bin/splunk start
/opt/splunkforwarder/bin/splunk enable boot-start
设置接收服务器
/opt/splunkforwarder/bin/splunk add forward-server splunk-server-ip:9997
/opt/splunkforwarder/bin/splunk set deploy-poll whatweb-server-ip:8089
添加收集内容
/opt/splunkforwarder/bin/splunk add monitor /root/whatweb_log/log
或直接修改配置文件
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
# cat inputs.conf
[monitor:///root/whatweb_log/log]
disabled = false
配置后重启splunk服务
# systemctl restart splunk
【设置】-->【转发和接收】-->【接收数据】-->9997端口
数据来了