Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Quick and dirty log analysis script

I wrote the script to automate the process of doing analysis on Apache and SSH log for Linux machine. Nothing fancy just a simple script to get the source IP address of the attacker based on certain keyword you specify. Just copy the script and name it with .sh extension for e.g. log-analysis.sh. To run the script type ./log-analysis.sh and follow the steps. Btw, I'm not a coder so the script may look like an amateur work ;)




#!/bin/bash
#LOG Analysis script written by dgodam@gmail.com

#Global Function
probeip(){
while :
do
  read -p "Probe suspicious IP address (y/n)? " CONT
  if [ "$CONT" == "y" ]; then
    read -e -p "Enter source IP address: " -i "8.8.8.8" PROBEIP
    cat $FILEPATH/$LOGFILE | grep -i $PROBEIP | more
  else
     break
   fi
done
}

#BEGIN
read -e -p "What type of attack do you want to analyse (web/auth/ddos)? " -i "web" LOG
if [ $LOG  == "web" ]; then
    accesslog
  elif [ $LOG == "auth" ]; then
    authlog
  elif [ $LOG == "ddos" ]; then
   ddos
 else
    exit;
fi

#Web
print_access(){
read -p "Print result (y/n)? " CONT
if [ "$CONT" == "y" ]; then
  cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk {'print $1,$7,$9'} | grep " 200" | awk '{print $1}' | uniq -c | sort -rn > 1.tmp
  echo -e "begin\ncountrycode" > 2.tmp
  cat 1.tmp | awk '{print $2}' | sort -u >> 2.tmp
  echo "end" >> 2.tmp
  netcat whois.cymru.com 43 < 2.tmp > 3.tmp
  echo -e "Unique Source IP Count" > accesslog_result.txt
  cat < 1.tmp >> accesslog_result.txt
  cat < 3.tmp >> accesslog_result.txt
  rm *.tmp
  echo "Your output file: accesslog_result.txt"
else
  exit;
fi
}

accesslog(){
read -e -p "Enter path to the log folder: " -i "/var/log/apache2" FILEPATH
read -e -p "Enter name of the log file: " -i "access.log" LOGFILE
cat $FILEPATH/$LOGFILE | more
read -e -p "Enter keyword: " -i "select" KEYWORD
cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk '{print $1,$7,$9}' | more
read -p "Include HTTP 200 successful connection only (y/n)? " CONT
if [ "$CONT" == "y" ]; then
   cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk '{print $1,$7,$9}' | grep " 200" | more
   probeip
else
  probeip
fi
print_access
}

#Ddos
print_ddos(){
read -p "Print result (y/n)? " CONT
if [ "$CONT" == "y" ]; then
  cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk {'print $1'} | sort -rn | uniq -c > 1.tmp
  echo -e "begin\ncountrycode" > 2.tmp
  cat 1.tmp | awk '{print $2}' |sort -u >> 2.tmp
  echo "end" >> 2.tmp
  netcat whois.cymru.com 43 < 2.tmp > 3.tmp
  echo -e "Unique Source IP Count" > ddos_result.txt
  cat < 1.tmp >> ddos_result.txt
  cat < 3.tmp >> ddos_result.txt
  rm *.tmp
  echo "Your output file: ddos_result.txt"
else
  exit;
fi
}

ddos(){
read -e -p "Enter path to the log folder: " -i "/var/log/apache2" FILEPATH
read -e -p "Enter name of the log file: " -i "access.log" LOGFILE
cat $FILEPATH/$LOGFILE | more
read -e -p "Enter keyword: " -i "select" KEYWORD
cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk '{print $1}' | sort -rn | uniq -c | more
print_ddos
}

#Auth
print_auth(){
read -p "Print result (y/n)? " CONT
if [ "$CONT" == "y" ]; then
  cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk {'print $11'} | uniq -c | sort -rn > 1.tmp
  echo -e "begin\ncountrycode" > 2.tmp
  cat 1.tmp | awk '{print $2}' |sort -u >> 2.tmp
  echo "end" >> 2.tmp
  netcat whois.cymru.com 43 < 2.tmp > 3.tmp
  echo -e "Unique IP Count" > auth_result.txt
  cat <  1.tmp >> auth_result.txt
  cat < 3.tmp >> auth_result.txt
  rm *.tmp
  echo "Your output file: auth_result.txt"
else
  exit;
fi
}

authlog(){
read -e -p "Enter path to the log folder: " -i "/var/log" FILEPATH
read -e -p "Enter name of the log file: " -i "auth.log" LOGFILE
cat $FILEPATH/$LOGFILE | more
read -e -p "Enter keyword: " -i "accepted" KEYWORD
cat $FILEPATH/$LOGFILE | grep -i $KEYWORD | awk '{print $1,$2,$3,$5,$11}' | more
probeip
print_auth
  }



0 comments:

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!