(转) web日志分析脚本
(1)日志较大时,可选用如下命令对日志分割
split -C 500m -a 2 src.log dst.log #按大小500M分割
(2)扫描器探测行为检测
grep -E -i "AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench" xx.log >scan.txt
(3)攻击行为检测
grep -E -i "%27|%3c%3e|and|union|exist|select|version|update|script|alert|XSS|document|asa|\.\.|uploadfile|.jpg.[asp|aspx|jsp|php]|passwd|boot.ini|htaccess|WEB.xml|bak|svn|inc|config|conf|conn.asp|echo|mdb|cgi|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|shell|info|bin|\(\)|cmd" -c xx.log
(4)木马特征检测
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval\(|system\(|.jpg.|editor|edit|fck" xx.log -c #木马及编辑器检测
(5)CC攻击异常行为检测
cat localhost_access_2014-09-12.log |awk '{print $1}'|sort |uniq -c|sort -nr|head -n 10
(6)访问最多的页面
cat localhost_access_2014-09-12.log |awk '{print $7}'|sort |uniq -c|sort -rn|head
cat localhost_access_2014-09-12.log |sed 's/^.*com/(.*/)/"//1/g'|awk '{print $7}'|sort |uniq -c|sort -rn|head #将域名内容去掉
cat access_log | grep "19/May/2010:00" | awk '{print $7}' | sort | uniq -c | sort -nr | head -n 10
#当天访问页面排前10的url
cat access_log |cut -d ' ' -f 1 |sort |uniq -c | sort -nr | awk '{print $1 }' | head -n 10 |less #查看日志中访问次数最多的前10个IP
cat access_log |cut -d ' ' -f 1 |sort |uniq -c | awk '{if ($1 > 100) print $0}'|sort -nr |less #查看日志中出现100次以上的IP
cat access_log |tail -10000|awk '{print $7}'|sort|uniq -c|sort -nr|less #查看最近访问量最高的文件
(7)Windows远程桌面异常登录
LogParser file:C:\temp\sec.evtx -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
Logparser -i:evt -o:csv "select * from C:\temp\sec.evtx where Message like '%登录类型: 10%' and EventID = 4624" > c:\temp\sec_log.csv
Logparser -i:evt -o:csv "select * from C:\temp\sec.evtx where Message like '%登录类型: 10%' and Message like '%已成功登录帐户%' and Message not like '%192.168.%' and EventID = 4624" > c:\temp\sec_log_Type10_LoginSuccess_192.168.csv
Logparser -i:evt -o:csv "select * from C:\temp\sec.evtx where Message like '%已成功%' and Message not like '%192.168.%' and Message not like '%127.0.0.1%'" > c:\temp\sec_log_LoginSuccess_no192.168_no127.0.0.1.csv
(8)攻击行为检测
grep -E -i "test|shell|robots|backdoor|ma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|f4ck|eval\(|system\(|edit|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|version|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|prompt|document|\.asa|\.\.|uploadfile|\.jpg\.|passwd|\.ini|htaccess|WEB.xml|bak|svn|inc|conf|conn|echo|mdb|cgi|pl|\.sh|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|info|bin|\(\)|inculde|systme|eval" xx.log >scan.txt
(9)筛选asp|jsp|php|shtml等常见格式
grep -E -i "\.asp|\.jsp|\.php|\.shtml|\.html|\.htm|\.ashx\.cgi|\.perl|\.xml|\.shtm|\.sh|\.nsp|\.do|\.action|\.ini|\.jpg\.|passwd|\.bak|\.svn|\.inc|\.conf|\.mdb|OPTIONS|PUT|HEAD|echo|access|\.asa|sql|shell|\.\.|php3|\.cfc|Servlet" 0401-0512menhu_edall.log>0401-0512menhu_edall_wz.log
(10)进一步筛选
针对以上2步筛选后仍然有大量数据的,进行3次筛选;根据第二步结果找出误报较多的关键词,并将其剔除。
grep -E -i "test|shell|backdoor|muma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|f4ck|eval\(|system\(|editor|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|document|\.asa|\.\.|uploadfile|\.jpg\.|passwd|\.ini|htaccess|WEB.xml|bak|svn|inc|conf|echo|mdb|cgi|\.pl|\.sh|ipconfig|OPTIONS|PUT|HEAD|CMD|info|\(\)|inculde|systme|eval"
(11)定义Struts2远程命令执行漏洞特征
attackRule=denyMethodExecution|allowStaticMethodAccess
(12)定义SQL注入攻击特征
attackRule=(\w+)'|(\w+)%20and%20(\S+)|(\w+)%20or%20(\S+)|(\w+)=(\d+)-(\d+)|(\d+)>(\d+)|(\d+)<(\d+)|(\S)waitfor(\W+)delay(\S)|(\S)having(\W)|(\S)sleep(\W)|(\w)\+(\w)|(\w)\#|(\w)--|(\w)\/\*(\S)|(\w)\&\&(\W)|(\S)select(\W)|(\S)insert(\S+)into(\W)|(\S)delete(\W)|(\S)update(\W)|(\S)create(\W)|(\S)drop(\W)|(\S)exists(\W)|(\S)backup(\W)|(\S)order(\S+)by(\W)|(\S)group(\S+)by(\W)|(\S)exec(\S)|(\S)truncate(\S)|(\S)declare(\S)|(\S)@@version(\S)
(13)定义XSS攻击特征
attackRule=(\S)%3C(\S+)%3E|(\S)%3C(\S+)%2F%3E|(\S+)<(\S+)>|(\S+)<(\S+)\/>|onerror|onmouse|expression|\"|alert|document\.|prompt\(
(14)定义文件包含和路径遍历攻击特征
attackRule=/etc/passwd|\/%c0%ae%c0%ae|\/%2E%2E|boot\.ini|win\.ini|\.\.\/|access\.log|httpd\.conf|nginx\.conf|/proc/self/environ
(15)定义常见WEBShell特征
attackRule=\/cmd\.asp|\/diy\.asp|\.asp;|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|%eval|\.jsp?action=|fsaction=
(16)网站敏感文件访问
attackRule=\/WEB-INF\/WEB\.xml|applicationContext\.xml|\/manager\/html|\/jmx-console\/|\.properties|\.class|phpinfo\.php|\/conn\.asp|\/conn\.php|\/conn\.jsp
(17)木马WEBshell及非法登陆检测
grep -E -i "rootkit\.|3est\.|door\.|kim\.|phpspy\.|jspspy\.|\/command\.|shell\.|hack\.|f4ck\.|eval\(|system\(|\.jpg\.|action\.do|login|manager|super|editor|\/proc\/self\/environ|\/cmd\.|\/diy\.|\.asp;|ma\.|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|\%eval|\.jsp?action=|fsaction=|\/manage\/html|\/jmx-console\/|\.properties\.class|\/phpinfo\.|\/conn\.|\/config\." xx.log |awk '{print $7 $9}'|sort | uniq -c |sort -nr | grep -E "200$" |more
(18)所有攻击行为检测
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval\(|system\(|\.jpg\.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor|(\w+)%27|(\w+)%20and%20(\S+)|(\w+)%20or%20(\S+)|(\w+)=(\d+)-(\d+)|(\d+)>(\d+)|(\d+)<(\d+)|(\S)waitfor(\W+)delay(\S)|(\S)having(\W)|(\S)sleep(\W)|(\w)\#|(\w)--|(\w)\/\*(\S)|(\w)\&\&(\W)|(\S)select(\W)|(\S)insert(\S+)into(\W)|(\S)delete(\W)|(\S)update(\W)|(\S)create(\W)|(\S)drop(\W)|(\S)exists(\W)|(\S)backup(\W)|(\S)order(\S+)by(\W)|(\S)group(\S+)by(\W)|(\S)exec(\S)|(\S)truncate(\S)|(\S)declare(\S)|(\S)@@version(\S)|(\S)%3C(\S+)%3E|(\S)%3C(\S+)%2F%3E|(\S+)<(\S+)>|(\S+)<(\S+)\/>|onerror|onmouse|expression|alert|document\.|prompt\(|\/etc\/passwd|\/%c0%ae%c0%ae|\/%2E%2E|boot\.ini|win\.ini|\.\.\/|access\.log|httpd\.conf|nginx\.conf|\/proc\/self\/environ|\/cmd\.asp|\/diy\.asp|\.asp;|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|%eval|\.jsp?action=|fsaction=|\/WEB-INF\/WEB\.xml|applicationContext\.xml|\/manager\/html|\/jmx-console\/|\.properties|\.class|phpinfo\.php|\/conn\.asp|\/conn\.php|\/conn\.jsp|config\.php" locahost -c
(19)第18检测结果太多时,使用此精简部分
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval\(|system\(|\.jpg\.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor\/|(\w+)%27|(\w+)%20and%20(\S+)|(\w+)%20or%20(\S+)|(\d+)>(\d+)|(\d+)<(\d+)|(\S)waitfor(\W+)delay(\S)|(\S)having(\W)|(\S)sleep(\W)|(\w)--|(\S)select(\W)|(\S)insert(\S+)into(\W)|(\S)delete(\W)|(\S)update(\W)|(\S)create(\W)|(\S)drop(\W)|(\S)exists(\W)|(\S)backup(\W)|(\S)order(\S+)by(\W)|(\S)group(\S+)by(\W)|(\S)exec(\S)|(\S)truncate(\S)|(\S)declare(\S)|(\S)@@version(\S)|(\S)%3C(\S+)%3E|(\S)%3C(\S+)%2F%3E|(\S+)<(\S+)\/>|onerror|onmouse|expression|alert|document\.|prompt\(|\/etc\/passwd|\/%c0%ae%c0%ae|\/%2E%2E|boot\.ini|win\.ini|\.\.\/|access\.log|httpd\.conf|nginx\.conf|\/proc\/self\/environ|\/cmd\.asp|\/diy\.asp|\.asp;|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|%eval|\.jsp?action=|fsaction=|\/WEB-INF\/WEB\.xml|applicationContext\.xml|\/manager\/html|\/jmx-console\/|\.properties|\.class|phpinfo\.php|\/conn\.asp|\/conn\.php|\/conn\.jsp|config\.php" locahost -c
(20)查看攻击次数最多的IP
cat wapbank.log |awk '{print$3,$4,$7,$8}' | grep -E "\\s200\\s" | awk '{print $1}' | sort |uniq -c | sort -nr
(21)查看攻击类型排名
cat wapbank.log | grep -E "\\s200\\s" | awk '{print $2}' | sort |uniq -c | sort -nr >anttackType.txt
(22)查看某IPURL排名
grep -E "106.38.128.101" access_log_edall.log |awk '{print$7}' | sort |uniq -c |sort -nr | more
(23)查看某IPURL排序
grep -E "42.159.142.38" access_log_edall.log |sort | uniq -c | sort -nr |more
(24)查看某IP返回200ok的数据包请求
grep -E "106.120.233.64" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "\s200\s"
(25)查看攻击是否登陆后台成功
grep -E "83.41.2.13" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "\s200\s" |grep -E "manager|admin|login" -n |more
