(转) web日志分析脚本

（1）日志较大时，可选用如下命令对日志分割
split -C 500m -a 2 src.log dst.log #按大小500M分割

（2）扫描器探测行为检测
grep -E -i "AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench" xx.log >scan.txt

（3）攻击行为检测
grep -E -i "%27|%3c%3e|and|union|exist|select|version|update|script|alert|XSS|document|asa|..|uploadfile|.jpg.[asp|aspx|jsp|php]|passwd|boot.ini|htaccess|WEB.xml|bak|svn|inc|config|conf|conn.asp|echo|mdb|cgi|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|shell|info|bin|()|cmd" -c xx.log

（4）木马特征检测
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|editor|edit|fck" xx.log -c #木马及编辑器检测

（5）CC攻击异常行为检测
cat localhost_access_2014-09-12.log |awk '{print $1}'|sort |uniq -c|sort -nr|head -n 10

（6）访问最多的页面
cat localhost_access_2014-09-12.log |awk '{print $7}'|sort |uniq -c|sort -rn|head
cat localhost_access_2014-09-12.log |sed 's/^.*com/(.*/)/"//1/g'|awk '{print $7}'|sort |uniq -c|sort -rn|head #将域名内容去掉
cat access_log | grep "19/May/2010:00" | awk '{print $7}' | sort | uniq -c | sort -nr | head -n 10
#当天访问页面排前10的url
cat access_log |cut -d ' ' -f 1 |sort |uniq -c | sort -nr | awk '{print $1 }' | head -n 10 |less #查看日志中访问次数最多的前10个IP
cat access_log |cut -d ' ' -f 1 |sort |uniq -c | awk '{if ($1 > 100) print $0}'｜sort -nr |less #查看日志中出现100次以上的IP
cat access_log |tail -10000|awk '{print $7}'|sort|uniq -c|sort -nr|less #查看最近访问量最高的文件

（7）Windows远程桌面异常登录
LogParser file:C: empsec.evtx -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and EventID = 4624" > c: empsec_log.csv
Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%登录类型: 10%' and Message like '%已成功登录帐户%' and Message not like '%192.168.%' and EventID = 4624" > c: empsec_log_Type10_LoginSuccess_192.168.csv
Logparser -i:evt -o:csv "select * from C: empsec.evtx where Message like '%已成功%' and Message not like '%192.168.%' and Message not like '%127.0.0.1%'" > c: empsec_log_LoginSuccess_no192.168_no127.0.0.1.csv

（8）攻击行为检测
grep -E -i "test|shell|robots|backdoor|ma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|f4ck|eval(|system(|edit|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|version|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|prompt|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|conn|echo|mdb|cgi|pl|.sh|dir|ipconfig|OPTIONS|PUT|HEAD|CMD|info|bin|()|inculde|systme|eval" xx.log >scan.txt

（9）筛选asp|jsp|php|shtml等常见格式
grep -E -i ".asp|.jsp|.php|.shtml|.html|.htm|.ashx.cgi|.perl|.xml|.shtm|.sh|.nsp|.do|.action|.ini|.jpg.|passwd|.bak|.svn|.inc|.conf|.mdb|OPTIONS|PUT|HEAD|echo|access|.asa|sql|shell|..|php3|.cfc|Servlet" 0401-0512menhu_edall.log>0401-0512menhu_edall_wz.log

（10）进一步筛选
针对以上2步筛选后仍然有大量数据的,进行3次筛选;根据第二步结果找出误报较多的关键词,并将其剔除。
grep -E -i "test|shell|backdoor|muma|mysql|sniffer|shacke|hack|diy|dbapp|fileupload|getpass|svchost|vnc|WEBproxy|root|mssql|help|sb|sql|cmd|rootkit|3est|door|server|kim|phpspy|jspspy|command|f4ck|eval(|system(|editor|fck|manage|admin|houtai|guanli|super|denglu|login|AppScan|wvs|acunetix|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|%27|%3c%3e|or|and|union|exists|select|update|order%20by|script|alert|XSS|onerror|msgbox|%3c%2f|document|.asa|..|uploadfile|.jpg.|passwd|.ini|htaccess|WEB.xml|bak|svn|inc|conf|echo|mdb|cgi|.pl|.sh|ipconfig|OPTIONS|PUT|HEAD|CMD|info|()|inculde|systme|eval"

（11）定义Struts2远程命令执行漏洞特征
attackRule=denyMethodExecution|allowStaticMethodAccess

（12）定义SQL注入攻击特征
attackRule=(w+)'|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)+(w)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)

（13）定义XSS攻击特征
attackRule=(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|"|alert|document.|prompt(

（14）定义文件包含和路径遍历攻击特征
attackRule=/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ

（15）定义常见WEBShell特征
attackRule=/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=

（16）网站敏感文件访问
attackRule=/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp

（17）木马WEBshell及非法登陆检测
grep -E -i "rootkit.|3est.|door.|kim.|phpspy.|jspspy.|/command.|shell.|hack.|f4ck.|eval(|system(|.jpg.|action.do|login|manager|super|editor|/proc/self/environ|/cmd.|/diy.|.asp;|ma.|/(w+).(w+)/(w+).php|.php.|eval(|\%eval|.jsp?action=|fsaction=|/manage/html|/jmx-console/|.properties.class|/phpinfo.|/conn.|/config." xx.log |awk '{print $7 $9}'|sort | uniq -c |sort -nr | grep -E "200$" |more

（18）所有攻击行为检测
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(w+)=(d+)-(d+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)#|(w)--|(w)/*(S)|(w)&&(W)|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c

（19）第18检测结果太多时，使用此精简部分
grep -E -i "rootkit|3est|door|server|kim|phpspy|jspspy|command|shell|hack|f4ck|eval(|system(|.jpg.|AppScan|CustomCookie|netsparker|sqlmap|Havij|Pangolin|nessus|Openvas|whatWEB|w3af|DirBuster|WEBbench|OPTIONS|PUT|HEAD|DEBUG|system|action|login|manager|super|editor/|(w+)%27|(w+)%20and%20(S+)|(w+)%20or%20(S+)|(d+)>(d+)|(d+)<(d+)|(S)waitfor(W+)delay(S)|(S)having(W)|(S)sleep(W)|(w)--|(S)select(W)|(S)insert(S+)into(W)|(S)delete(W)|(S)update(W)|(S)create(W)|(S)drop(W)|(S)exists(W)|(S)backup(W)|(S)order(S+)by(W)|(S)group(S+)by(W)|(S)exec(S)|(S)truncate(S)|(S)declare(S)|(S)@@version(S)|(S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt(|/etc/passwd|/%c0%ae%c0%ae|/%2E%2E|boot.ini|win.ini|../|access.log|httpd.conf|nginx.conf|/proc/self/environ|/cmd.asp|/diy.asp|.asp;|/(w+).(w+)/(w+).php|.php.|eval(|%eval|.jsp?action=|fsaction=|/WEB-INF/WEB.xml|applicationContext.xml|/manager/html|/jmx-console/|.properties|.class|phpinfo.php|/conn.asp|/conn.php|/conn.jsp|config.php" locahost -c

（20）查看攻击次数最多的IP
cat wapbank.log |awk '{print$3,$4,$7,$8}' | grep -E "\s200\s" | awk '{print $1}' | sort |uniq -c | sort -nr

（21）查看攻击类型排名
cat wapbank.log | grep -E "\s200\s" | awk '{print $2}' | sort |uniq -c | sort -nr >anttackType.txt

（22）查看某IPURL排名
grep -E "106.38.128.101" access_log_edall.log |awk '{print$7}' | sort |uniq -c |sort -nr | more

（23）查看某IPURL排序
grep -E "42.159.142.38" access_log_edall.log |sort | uniq -c | sort -nr |more

（24）查看某IP返回200ok的数据包请求
grep -E "106.120.233.64" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s"

（25）查看攻击是否登陆后台成功
grep -E "83.41.2.13" access_log_edall.log |sort | uniq -c | sort -nr |grep -E "s200s" |grep -E "manager|admin|login" -n |more