analyzing-web-server-logs-for-intrusion
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-web-server-logs-for-intrusionDetect web intrusions by parsing server logs for attack patterns.
- Identifies SQL injection, directory traversal, and brute-force attempts.
- Integrates GeoIP enrichment and OWASP signature matching.
- Uses regex pattern matching and statistical anomaly detection.
- Outputs structured findings with source attribution and severity.
SKILL.md
.github/skills/analyzing-web-server-logs-for-intrusionView on GitHub ↗
--- name: analyzing-web-server-logs-for-intrusion description: >- Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers. domain: cybersecurity subdomain: security-operations tags: [analyzing, web, server, logs] version: "1.0" author: mahipal license: Apache-2.0 --- # Analyzing Web Server Logs for Intrusion ## When to Use - When investigating security incidents that require analyzing web server logs for intrusion - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install geoip2 user-agents` 2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format. 3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer. 4. Apply detection rules: - SQL injection: `UNION SELECT`, `OR 1=1`, `' OR '`, hex encoding patterns - LFI/Path traversal: `../`, `/etc/passwd`, `/proc/self`, `php://filter` - XSS: `<script>`, `javascript:`, `onerror=`, `onload=` - Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents - Brute force: >50 POST requests to login endpoints from same IP in 5 minutes 5. Enrich with GeoIP data and generate a prioritized findings report. ```bash python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json ``` ## Examples ### Detect SQLi in URI ``` 192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532 ``` ### Scanner User-Agent Detection ``` Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0 ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.