新增设备

SecAegis · SecAegis · commit 26730dca4ffa · 2025-09-03T14:22:26.000+08:00
深信服态势感知、启明星辰全网安全态势感知系统、天融信防火墙、深信服防火墙
diff --git a/README.md b/README.md
@@ -85,8 +85,9 @@ Docker全部运行后访问 [http://127.0.0.1/](http://127.0.0.1/) 访问管理
 | [奇安信椒图](./device/alarm/qianxin_jowtolock) | [CheckPoint](./check_point) |
 | [绿盟WAF](./device/alarm/nsfocus_waf) | [奇安信防火墙](./device/block/qianxin_firewall) |
 | [科来网络安全分析审计系统](./device/alarm/kelai_wangluoanquanfenxishenjixitong) | [钉钉告警通知](./device/block/dingtalk_robot) |
-|  | [BGP封禁](./device/block/bgp) |
-
+| [深信服态势感知](./device/alarm/sangfor_sip) | [BGP封禁](./device/block/bgp) |
+| [启明星辰全网安全态势感知系统](./device/alarm/venustech_qwaqtsgzxt) | [天融信防火墙](./device/block/topsec_firewall) |
+|  | [深信服防火墙](./device/block/sangfor_firewall) |
 
 ## 黑/白名单说明
 
diff --git a/device/alarm/README.md b/device/alarm/README.md
@@ -6,4 +6,6 @@
 * [qianxin_skyeye](./qianxin_skyeye): 奇安信天眼
 * [qianxin_jowtolock](./qianxin_jowtolock): 奇安信椒图
 * [nsfocus_waf](./nsfocus_waf): 绿盟WAF
-* [kelai_wangluoanquanfenxishenjixitong](./kelai_wangluoanquanfenxishenjixitong): 科来网络安全分析审计系统
+* [kelai_wangluoanquanfenxishenjixitong](./kelai_wangluoanquanfenxishenjixitong): 科来网络安全分析审计系统
+* [sangfor_sip](./sangfor_sip): 深信服态势感知
+* [venustech_qwaqtsgzxt](./venustech_qwaqtsgzxt): 启明星辰全网安全态势感知系统
diff --git a/device/alarm/example/multi_syslog_example.py b/device/alarm/example/multi_syslog_example.py
@@ -23,7 +23,7 @@ def add_count(device_name):
         else:
             message_count[device_name] += 1
 
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def handle(self):
         data = self.request[0].split(b' ')
         if len(data) < 7:
diff --git a/device/alarm/example/syslog_example.py b/device/alarm/example/syslog_example.py
@@ -2,7 +2,7 @@
 from SecAutoBan import SecAutoBan
 
 # 假设Syslog格式为`攻击IP\t被攻击资产\t报警详情，例如：1.1.1.1\t127.0.0.1\tNMAP 扫描`
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def __init__(self, request, client_address, server, ws_client):
         self.ws_client = ws_client
         super().__init__(request, client_address, server)
@@ -18,7 +18,7 @@ def handle(self):
 
 def alarm_analysis(ws_client):
     with socketserver.ThreadingUDPServer(("0.0.0.0", listen_syslog_udp_port), lambda *args: SyslogUDPHandler(*args, ws_client=ws_client)) as server:
-        print("[+] 监听SysLog端口: " + str(listen_syslog_udp_port) + "/UDP")
+        sec_auto_ban.print("[+] 监听SysLog端口: " + str(listen_syslog_udp_port) + "/UDP")
         server.serve_forever()
 
 
diff --git a/device/alarm/kelai_wangluoanquanfenxishenjixitong/kelai_wangluoanquanfenxishenjixitong.py b/device/alarm/kelai_wangluoanquanfenxishenjixitong/kelai_wangluoanquanfenxishenjixitong.py
@@ -10,7 +10,7 @@ def is_lan(ip: str) -> bool:
     return False
 
 
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def __init__(self, request, client_address, server, ws_client):
         self.ws_client = ws_client
         super().__init__(request, client_address, server)
diff --git a/device/alarm/nsfocus_waf/nsfocus_waf.py b/device/alarm/nsfocus_waf/nsfocus_waf.py
@@ -2,7 +2,7 @@
 from SecAutoBan import SecAutoBan
 
 
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def __init__(self, request, client_address, server, ws_client):
         self.ws_client = ws_client
         super().__init__(request, client_address, server)
diff --git a/device/alarm/qianxin_jowtolock/qianxin_jowtolock.py b/device/alarm/qianxin_jowtolock/qianxin_jowtolock.py
@@ -3,7 +3,7 @@
 from SecAutoBan import SecAutoBan
 
 
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def __init__(self, request, client_address, server, ws_client):
         self.ws_client = ws_client
         super().__init__(request, client_address, server)
@@ -19,8 +19,6 @@ def handle(self):
                 continue
             if msg["attackIp"] == "":
                 continue
-            if bypass_lan and msg["attackIpAddress"] == "局域网":
-                continue
             self.ws_client.send_alarm(msg["attackIp"], "", msg["action"]["text"])
 
 
@@ -32,7 +30,6 @@ def alarm_analysis(ws_client):
 
 if __name__ == "__main__":
     listen_syslog_udp_port = 567
-    bypass_lan = True  # 过滤内网攻击，True 开启 | False 关闭
     sec_auto_ban = SecAutoBan(
         server_ip="127.0.0.1",
         server_port=80,
diff --git a/device/alarm/qianxin_skyeye/qianxin_skyeye.py b/device/alarm/qianxin_skyeye/qianxin_skyeye.py
@@ -1,16 +1,9 @@
 import json
-import ipaddress
 import socketserver
 from SecAutoBan import SecAutoBan
 
 
-def is_lan(ip: str) -> bool:
-    if bypass_lan:
-        return ipaddress.ip_address(ip).is_private
-    return False
-
-
-class SyslogUDPHandler(socketserver.BaseRequestHandler):
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
     def __init__(self, request, client_address, server, ws_client):
         self.ws_client = ws_client
         super().__init__(request, client_address, server)
@@ -23,8 +16,6 @@ def handle(self):
         sip = msg["attack_sip"]
         if sip == "":
             return
-        if is_lan(sip):
-            return
         self.ws_client.send_alarm(sip, msg["alarm_sip"], "[" + msg["type"] + "]" + msg["vuln_type"])
 
 
@@ -36,7 +27,6 @@ def alarm_analysis(ws_client):
 
 if __name__ == "__main__":
     listen_syslog_udp_port = 567
-    bypass_lan = True  # 过滤内网攻击，True 开启 | False 关闭
     sec_auto_ban = SecAutoBan(
         server_ip="127.0.0.1",
         server_port=80,
diff --git a/device/alarm/sangfor_sip/README.md b/device/alarm/sangfor_sip/README.md
@@ -0,0 +1,46 @@
+# 深信服态势感知
+
+
+## 下载模块
+
+```
+wget https://raw.githubusercontent.com/SecAegis/SecAutoBan/main/device/alarm/sangfor_sip/sangfor_sip.py
+```
+
+## 配置说明
+
+### 配置深信服态势感知
+
+添加syslog推送，由于默认数据包过大，UDP存在截断问题，需选择TCP推送。
+
+### 安装依赖
+
+```
+pip3 install SecAutoBan
+```
+
+### 配置模块
+
+#### 修改回连核心模块配置
+
+更改脚本第`40`-`42`行
+
+```
+server_ip = "127.0.0.1",
+server_port = 80,
+sk = "sk-xxx",
+```
+
+#### 配置syslog监听地址
+
+更改脚本第`38`行，请与天眼SYSLOG中配置的端口一致
+
+```
+listen_syslog_tcp_port = 567
+```
+
+## 运行
+
+```shell
+python3 sangfor_sip.py
+```
diff --git a/device/alarm/sangfor_sip/sangfor_sip.py b/device/alarm/sangfor_sip/sangfor_sip.py
@@ -0,0 +1,46 @@
+import json
+import socketserver
+from SecAutoBan import SecAutoBan
+
+
+class SyslogTCPHandler(socketserver.BaseRequestHandler):
+    def __init__(self, request, client_address, server, ws_client):
+        self.ws_client = ws_client
+        super().__init__(request, client_address, server)
+    def handle(self):
+        buffer = b""
+        with self.request.makefile('rb') as f:
+            for chunk in f:
+                buffer += chunk
+                parts = buffer.split(b"\x00")
+                buffer = parts.pop()
+                for line in parts:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    sub_parts = line.split(b"|!")
+                    if len(sub_parts) <= 3:
+                        continue
+                    try:
+                        msg = json.loads(sub_parts[3])
+                        self.ws_client.send_alarm(msg["attack_ip"], msg["suffer_ip"], msg["event_desc"])
+                    except Exception as e:
+                        pass
+
+
+def alarm_analysis(ws_client):
+    with socketserver.ThreadingTCPServer(("0.0.0.0", listen_syslog_tcp_port), lambda *args: SyslogTCPHandler(*args, ws_client=ws_client)) as server:
+        sec_auto_ban.print("[+] 监听SysLog端口: " + str(listen_syslog_tcp_port) + "/TCP")
+        server.serve_forever()
+
+
+if __name__ == "__main__":
+    listen_syslog_tcp_port = 567
+    sec_auto_ban = SecAutoBan(
+        server_ip="127.0.0.1",
+        server_port=80,
+        sk="sk-*****",
+        client_type="alarm",
+        alarm_analysis = alarm_analysis
+    )
+    sec_auto_ban.run()
diff --git a/device/alarm/venustech_qwaqtsgzxt/README.md b/device/alarm/venustech_qwaqtsgzxt/README.md
@@ -0,0 +1,49 @@
+# 启明星辰全网安全态势感知系统
+
+## 下载模块
+
+```
+wget https://raw.githubusercontent.com/SecAegis/SecAutoBan/main/device/alarm/venustech_qwaqtsgzxt/venustech_qwaqtsgzxt.py
+```
+
+## 配置说明
+
+### 配置全网安全态势感知系统
+
+通过`联动响应`-`日志外发配置`，添加syslog推送。
+
+![](./img/1.png)
+
+新增一条配置，服务器IP为本脚本运行的服务器IP，传输方式选择UDP，配置选择特征检测即可。
+
+### 安装依赖
+
+```
+pip3 install SecAutoBan
+```
+
+### 配置模块
+
+#### 修改回连核心模块配置
+
+更改脚本第`34`-`36`行
+
+```
+server_ip = "127.0.0.1",
+server_port = 80,
+sk = "sk-xxx",
+```
+
+#### 配置syslog监听地址
+
+更改脚本第`32`行，请与天眼SYSLOG中配置的端口一致
+
+```
+listen_syslog_udp_port = 567
+```
+
+## 运行
+
+```shell
+python3 venustech_qwaqtsgzxt.py
+```
diff --git a/device/alarm/venustech_qwaqtsgzxt/img/1.png b/device/alarm/venustech_qwaqtsgzxt/img/1.png
diff --git a/device/alarm/venustech_qwaqtsgzxt/venustech_qwaqtsgzxt.py b/device/alarm/venustech_qwaqtsgzxt/venustech_qwaqtsgzxt.py
@@ -0,0 +1,40 @@
+import json
+import socketserver
+from SecAutoBan import SecAutoBan
+
+
+class SyslogUDPHandler(socketserver.DatagramRequestHandler):
+    def __init__(self, request, client_address, server, ws_client):
+        self.ws_client = ws_client
+        super().__init__(request, client_address, server)
+    def handle(self):
+        data = self.request[0]
+        if len(data.split(b" respond:")) < 2:
+            return
+        data = json.loads(data.split(b" respond:")[1].decode())
+        src_ip = data["src_ip"]
+        if src_ip == "":
+            src_ip = data["src_ip_v6"]
+        dst_ip = data["dst_ip"]
+        if dst_ip == "":
+            dst_ip = data["dst_ip_v6"]
+        event_type = data["subject"]
+        self.ws_client.send_alarm(src_ip, dst_ip, event_type)
+
+
+def alarm_analysis(ws_client):
+    with socketserver.ThreadingUDPServer(("0.0.0.0", listen_syslog_udp_port), lambda *args: SyslogUDPHandler(*args, ws_client=ws_client)) as server:
+        sec_auto_ban.print("[+] 监听SysLog端口: " + str(listen_syslog_udp_port) + "/UDP")
+        server.serve_forever()
+
+
+if __name__ == "__main__":
+    listen_syslog_udp_port = 567
+    sec_auto_ban = SecAutoBan(
+        server_ip="127.0.0.1",
+        server_port=80,
+        sk="sk-*****",
+        client_type="alarm",
+        alarm_analysis = alarm_analysis
+    )
+    sec_auto_ban.run()
diff --git a/device/block/README.md b/device/block/README.md
@@ -8,3 +8,5 @@
 * [qianxin_firewall](./qianxin_firewall): 奇安信防火墙
 * [dingtalk_robot](./dingtalk_robot): 钉钉告警通知
 * [bgp](./bgp): BGP封禁
+* [topsec_firewall](./topsec_firewall): 天融信防火墙
+* [sangfor_firewall](./sangfor_firewall): 深信服防火墙
diff --git a/device/block/sangfor_firewall/README.md b/device/block/sangfor_firewall/README.md
@@ -0,0 +1,56 @@
+# 深信服防火墙
+
+深信服防火墙封禁模块
+
+## 下载模块
+
+```
+wget https://raw.githubusercontent.com/SecAegis/SecAutoBan/main/device/block/sangfor_firewall/sangfor_firewall.py
+```
+
+## 配置深信服防火墙
+
+添加API账号
+
+## 配置模块
+
+### 安装依赖
+
+```
+pip3 install SecAutoBan requests
+```
+
+### 修改配置
+
+#### 修改回连核心模块配置
+
+更改脚本第`108`-`110`行
+
+```
+server_ip = "127.0.0.1",
+server_port = 80,
+sk = "sk-xxx",
+```
+
+#### 修改与深信服防火墙连接的地址
+
+更改脚本第`103`行
+
+```
+"url": "http://xxx.xxx.xxx.xxx",
+```
+
+#### 填写深信服防火墙用户名密码
+
+更改脚本第`104`-`105`行
+
+```
+"username": "xxx",
+"password": "xxx",
+```
+
+## 运行
+
+```shell
+python3 sangfor_firewall.py
+```
diff --git a/device/block/sangfor_firewall/sangfor_firewall.py b/device/block/sangfor_firewall/sangfor_firewall.py
diff --git a/device/block/topsec_firewall/README.md b/device/block/topsec_firewall/README.md
diff --git a/device/block/topsec_firewall/img/1.png b/device/block/topsec_firewall/img/1.png
diff --git a/device/block/topsec_firewall/topsec_firewall.py b/device/block/topsec_firewall/topsec_firewall.py
