analyzing-web-server-logs-for-intrusion

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-web-server-logs-for-intrusion" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-web-server-logs-for-intrusion

Instructions

  1. Install dependencies: pip install geoip2 user-agents
  2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
  3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
  4. Apply detection rules:
    • SQL injection: UNION SELECT, OR 1=1, ' OR ', hex encoding patterns
    • LFI/Path traversal: ../, /etc/passwd, /proc/self, php://filter
    • XSS: <script>, javascript:, onerror=, onload=
    • Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
    • Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
  5. Enrich with GeoIP data and generate a prioritized findings report.
python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

Detect SQLi in URI

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-cyber-kill-chain

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

acquiring-disk-image-with-dd-and-dcfldd

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975