Back to Details

analyzing-web-server-logs-for-intrusion

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Web Server Logs for Intrusion

分析Web服务器日志以检测入侵

When to Use

使用场景

  • When investigating security incidents that require analyzing web server logs for intrusion
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当需要分析Web服务器日志来调查安全事件时
  • 当为此领域构建检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前提条件

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities
  • 熟悉安全运营概念与工具
  • 可访问测试或实验室环境以安全执行操作
  • 安装Python 3.8及以上版本并配置好所需依赖
  • 拥有任何测试活动的适当授权

Instructions

操作步骤

  1. Install dependencies: 
    pip install geoip2 user-agents
  2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
  3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
  4. Apply detection rules:
    • SQL injection: 
      UNION SELECT
      , 
      OR 1=1
      , 
      ' OR '
      , hex encoding patterns
    • LFI/Path traversal: 
      ../
      , 
      /etc/passwd
      , 
      /proc/self
      , 
      php://filter
    • XSS: 
      <script>
      , 
      javascript:
      , 
      onerror=
      , 
      onload=
    • Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
    • Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
  5. Enrich with GeoIP data and generate a prioritized findings report.
bash
python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json
  1. 安装依赖:
    pip install geoip2 user-agents
  2. 收集Combined Log Format(Apache)或Nginx默认格式的Web服务器访问日志。
  3. 解析每条日志条目,提取以下信息:IP地址、时间戳、请求方法、URI、状态码、响应大小、用户代理(user-agent)、引用页(referer)。
  4. 应用检测规则:
    • SQL注入:
      UNION SELECT
      OR 1=1
      ' OR '
      、十六进制编码模式
    • LFI/目录遍历:
      ../
      /etc/passwd
      /proc/self
      php://filter
    • XSS:
      <script>
      javascript:
      onerror=
      onload=
    • 扫描器特征:nikto、sqlmap、dirbuster、gobuster、wfuzz等用户代理
    • 暴力破解:同一IP在5分钟内向登录端点发送超过50次POST请求
  5. 结合GeoIP数据增强信息,并生成优先级排序的检测结果报告。
bash
python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

示例

Detect SQLi in URI

检测URI中的SQL注入

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532
192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

扫描器用户代理检测

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0
Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0