zoukankan      html  css  js  c++  java
  • (转) web日志分析脚本

    (1)日志较大时,可选用如下命令对日志分割
    split -C 500m -a 2 src.log dst.log #按大小500M分割

    (2)扫描器探测行为检测
    grep -E -i "AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench" xx.log >scan.txt

    (3)攻击行为检测
    grep -E -i "%27|%3c%3e|and|union|exist|select|version|update|script|alert|XSS|document|asa|..|uploadfile|.jpg.[asp|aspx|jsp|php]|passwd|boot.ini|htaccess|WEB.xml|bak|svn|inc|config|conf|conn.asp|echo|mdb|cgi|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|shell|info|bin|()|cmd" -c xx.log

    (4)木马特征检测
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|editor|edit|fck" xx.log -c #木马及编辑器检测

    (5)CC攻击异常行为检测
    cat localhost_access_2014-09-12.log |awk '{print $1}'|sort |uniq -c|sort -nr|head -n 10

    (6)访问最多的页面
    cat localhost_access_2014-09-12.log |awk '{print $7}'|sort |uniq -c|sort -rn|head
    cat localhost_access_2014-09-12.log |sed 's/^.*com/(.*/)/"//1/g'|awk '{print $7}'|sort |uniq -c|sort -rn|head #将域名内容去掉
    cat access_log | grep "19/May/2010:00" | awk '{print $7}' | sort | uniq -c | sort -nr | head -n 10
    #当天访问页面排前10的url
    cat access_log |cut -d ' ' -f 1 |sort |uniq -c | sort -nr | awk '{print $1 }' | head -n 10 |less #查看日志中访问次数最多的前10个IP
    cat access_log |cut -d ' ' -f 1 |sort |uniq -c | awk '{if ($1 > 100) print $0}'|sort -nr |less #查看日志中出现100次以上的IP
    cat access_log |tail -10000|awk '{print $7}'|sort|uniq -c|sort -nr|less #查看最近访问量最高的文件

    (7)Windows远程桌面异常登录
    LogParser file:C: empsec.evtx -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and EventID = 4624" > c: empsec_log.csv
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and Message like '%已成功登录帐户%' and Message not like '%192.168.%' and EventID = 4624" > c: empsec_log_Type10_LoginSuccess_192.168.csv
    Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%已成功%' and Message not like '%192.168.%' and Message not like '%127.0.0.1%'" > c: empsec_log_LoginSuccess_no192.168_no127.0.0.1.csv

    (8)攻击行为检测
    grep -E -i "test|shell|robots|backdoor|ma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|f4ck|eval(|system(|edit|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|version|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|prompt|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|conn|echo|mdb|cgi|pl|.sh|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|info|bin|()|inculde|systme|eval" xx.log >scan.txt

    (9)筛选asp|jsp|php|shtml等常见格式
    grep -E -i ".asp|.jsp|.php|.shtml|.html|.htm|.ashx.cgi|.perl|.xml|.shtm|.sh|.nsp|.do|.action|.ini|.jpg.|passwd|.bak|.svn|.inc|.conf|.mdb|OPTIONS|PUT|HEAD|echo|access|.asa|sql|shell|..|php3|.cfc|Servlet" 0401-0512menhu_edall.log>0401-0512menhu_edall_wz.log

    (10)进一步筛选
    针对以上2步筛选后仍然有大量数据的,进行3次筛选;根据第二步结果找出误报较多的关键词,并将其剔除。
    grep -E -i "test|shell|backdoor|muma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|f4ck|eval(|system(|editor|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|echo|mdb|cgi|.pl|.sh|ipconfig|OPTIONS|PUT|HEAD|CMD|info|()|inculde|systme|eval"

    (11)定义Struts2远程命令执行漏洞特征
    attackRule=denyMethodExecution|allowStaticMethodAccess

    (12)定义SQL注入攻击特征
    attackRule=(w+)'|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)+(w)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)

    (13)定义XSS攻击特征
    attackRule=(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|"|alert|document.|prompt(

    (14)定义文件包含和路径遍历攻击特征
    attackRule=/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ

    (15)定义常见WEBShell特征
    attackRule=/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=

    (16)网站敏感文件访问
    attackRule=/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp

    (17)木马WEBshell及非法登陆检测
    grep -E -i "rootkit.|3est.|door.|kim.|phpspy.|jspspy.|/command.|shell.|hack.|f4ck.|eval(|system(|.jpg.|action.do|login|manager|super|editor|/proc/self/environ|/cmd.|/diy.|.asp;|ma.|/(w+).(w+)/(w+).php|.php.|eval(|\%eval|.jsp?action=|fsaction=|/manage/html|/jmx-console/|.properties.class|/phpinfo.|/conn.|/config." xx.log |awk '{print $7 $9}'|sort | uniq -c |sort -nr | grep -E "200$" |more

    (18)所有攻击行为检测
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c


    (19)第18检测结果太多时,使用此精简部分
    grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor/|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)--|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c

    (20)查看攻击次数最多的IP
    cat wapbank.log |awk '{print$3,$4,$7,$8}' | grep -E "\s200\s" | awk '{print $1}' | sort |uniq -c | sort -nr

    (21)查看攻击类型排名
    cat wapbank.log | grep -E "\s200\s" | awk '{print $2}' | sort |uniq -c | sort -nr >anttackType.txt

    (22)查看某IPURL排名
    grep -E "106.38.128.101" access_log_edall.log |awk '{print$7}' | sort |uniq -c |sort -nr | more

    (23)查看某IPURL排序
    grep -E "42.159.142.38" access_log_edall.log |sort | uniq -c | sort -nr |more

    (24)查看某IP返回200ok的数据包请求
    grep -E "106.120.233.64" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s"

    (25)查看攻击是否登陆后台成功
    grep -E "83.41.2.13" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s" |grep -E "manager|admin|login" -n |more

  • 相关阅读:
    Ubuntu配置sublime text 3的c编译环境
    ORA-01078错误举例:SID的大写和小写错误
    linux下多进程的文件拷贝与进程相关的一些基础知识
    ASM(四) 利用Method 组件动态注入方法逻辑
    基于Redis的三种分布式爬虫策略
    Go语言并发编程总结
    POJ2406 Power Strings 【KMP】
    nyoj 会场安排问题
    Server Tomcat v7.0 Server at localhost was unable to start within 45 seconds. If the server requires more time, try increasing the timeout in the server editor.
    Java的String、StringBuffer和StringBuilder的区别
  • 原文地址:https://www.cnblogs.com/Cong0ks/p/15002428.html
Copyright © 2011-2022 走看看