• (转) web日志分析脚本


    (1)日志较大时,可选用如下命令对日志分割
    split -C 500m -a 2 src.log dst.log #按大小500M分割

    (2)扫描器探测行为检测
    grep -E -i "AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench" xx.log >scan.txt

    (3)攻击行为检测
    grep -E -i "%27|%3c%3e|and|union|exist|select|version|update|script|alert|XSS|document|asa|..|uploadfile|.jpg.[asp|aspx|jsp|php]|passwd|boot.ini|htaccess|WEB.xml|bak|svn|inc|config|conf|conn.asp|echo|mdb|cgi|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|shell|info|bin|()|cmd" -c xx.log

    (4)木马特征检测
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|editor|edit|fck" xx.log -c #木马及编辑器检测

    (5)CC攻击异常行为检测
    cat localhost_access_2014-09-12.log |awk '{print $1}'|sort |uniq -c|sort -nr|head -n 10

    (6)访问最多的页面
    cat localhost_access_2014-09-12.log |awk '{print $7}'|sort |uniq -c|sort -rn|head
    cat localhost_access_2014-09-12.log |sed 's/^.*com/(.*/)/"//1/g'|awk '{print $7}'|sort |uniq -c|sort -rn|head #将域名内容去掉
    cat access_log | grep "19/May/2010:00" | awk '{print $7}' | sort | uniq -c | sort -nr | head -n 10
    #当天访问页面排前10的url
    cat access_log |cut -d ' ' -f 1 |sort |uniq -c | sort -nr | awk '{print $1 }' | head -n 10 |less #查看日志中访问次数最多的前10个IP
    cat access_log |cut -d ' ' -f 1 |sort |uniq -c | awk '{if ($1 > 100) print $0}'|sort -nr |less #查看日志中出现100次以上的IP
    cat access_log |tail -10000|awk '{print $7}'|sort|uniq -c|sort -nr|less #查看最近访问量最高的文件

    (7)Windows远程桌面异常登录
    LogParser file:C: empsec.evtx -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and EventID = 4624" > c: empsec_log.csv
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and Message like '%已成功登录帐户%' and Message not like '%192.168.%' and EventID = 4624" > c: empsec_log_Type10_LoginSuccess_192.168.csv
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%已成功%' and Message not like '%192.168.%' and Message not like '%127.0.0.1%'" > c: empsec_log_LoginSuccess_no192.168_no127.0.0.1.csv

    (8)攻击行为检测
    grep -E -i "test|shell|robots|backdoor|ma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|f4ck|eval(|system(|edit|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|version|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|prompt|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|conn|echo|mdb|cgi|pl|.sh|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|info|bin|()|inculde|systme|eval" xx.log >scan.txt

    (9)筛选asp|jsp|php|shtml等常见格式
    grep -E -i ".asp|.jsp|.php|.shtml|.html|.htm|.ashx.cgi|.perl|.xml|.shtm|.sh|.nsp|.do|.action|.ini|.jpg.|passwd|.bak|.svn|.inc|.conf|.mdb|OPTIONS|PUT|HEAD|echo|access|.asa|sql|shell|..|php3|.cfc|Servlet" 0401-0512menhu_edall.log>0401-0512menhu_edall_wz.log

    (10)进一步筛选
    针对以上2步筛选后仍然有大量数据的,进行3次筛选;根据第二步结果找出误报较多的关键词,并将其剔除。
    grep -E -i "test|shell|backdoor|muma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|f4ck|eval(|system(|editor|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|echo|mdb|cgi|.pl|.sh|ipconfig|OPTIONS|PUT|HEAD|CMD|info|()|inculde|systme|eval"

    (11)定义Struts2远程命令执行漏洞特征
    attackRule=denyMethodExecution|allowStaticMethodAccess

    (12)定义SQL注入攻击特征
    attackRule=(w+)'|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)+(w)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)

    (13)定义XSS攻击特征
    attackRule=(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|"|alert|document.|prompt(

    (14)定义文件包含和路径遍历攻击特征
    attackRule=/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ

    (15)定义常见WEBShell特征
    attackRule=/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=

    (16)网站敏感文件访问
    attackRule=/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp

    (17)木马WEBshell及非法登陆检测
    grep -E -i "rootkit.|3est.|door.|kim.|phpspy.|jspspy.|/command.|shell.|hack.|f4ck.|eval(|system(|.jpg.|action.do|login|manager|super|editor|/proc/self/environ|/cmd.|/diy.|.asp;|ma.|/(w+).(w+)/(w+).php|.php.|eval(|\%eval|.jsp?action=|fsaction=|/manage/html|/jmx-console/|.properties.class|/phpinfo.|/conn.|/config." xx.log |awk '{print $7 $9}'|sort | uniq -c |sort -nr | grep -E "200$" |more

    (18)所有攻击行为检测
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c


    (19)第18检测结果太多时,使用此精简部分
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor/|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)--|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c

    (20)查看攻击次数最多的IP
    cat wapbank.log |awk '{print$3,$4,$7,$8}' | grep -E "\s200\s" | awk '{print $1}' | sort |uniq -c | sort -nr

    (21)查看攻击类型排名
    cat wapbank.log | grep -E "\s200\s" | awk '{print $2}' | sort |uniq -c | sort -nr >anttackType.txt

    (22)查看某IPURL排名
    grep -E "106.38.128.101" access_log_edall.log |awk '{print$7}' | sort |uniq -c |sort -nr | more

    (23)查看某IPURL排序
    grep -E "42.159.142.38" access_log_edall.log |sort | uniq -c | sort -nr |more

    (24)查看某IP返回200ok的数据包请求
    grep -E "106.120.233.64" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s"

    (25)查看攻击是否登陆后台成功
    grep -E "83.41.2.13" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s" |grep -E "manager|admin|login" -n |more

  • 相关阅读:
    HttpEntity转换Inputstream(红色)加XmlPull解析
    ImageLoader加载图片
    HttpClient——Get,Post
    Android例子源码非第三方实现根据字母排序的城市列表
    Android 仿QQ消息界面
    css折叠表格
    前端页面文字长度显示控制
    (首页上一页下一页尾页 + 下拉框跳转)分页功能
    基于bootstrap的分页插件
    HTML 禁止复制文字
  • 原文地址:https://www.cnblogs.com/Cong0ks/p/15002428.html
Copyright © 2020-2023  润新知