analyzing-web-server-logs-for-intrusion

Solid

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
89
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Web Server Logs for Intrusion ## When to Use - When investigating security incidents that require analyzing web server logs for intrusion - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install geoip2 user-agents` 2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format. 3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer. 4. Apply detection rules: - SQL injection: `UNION SELECT`, `OR 1=1`, `' OR '`, hex encoding patterns - LFI/Path traversal: `../`, `/etc/passwd`, `/proc/self`, `php://filter` - XSS: `<script>`, `javascript:`, `onerror=`, `onload=` - Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents - Brute force: >50 POST requests to login endpoints from same IP in 5 minutes 5. Enrich with GeoIP data and generate a prioritized findings report. ```bash python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json ``...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

detecting-sql-injection-via-waf-logs

Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-audit-logs-for-intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-security-logs-with-splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

12,642 Updated today
mukul975
Code & Development Listed

log-analysis

Analyze application logs to identify errors, performance issues, and security anomalies. Use when debugging issues, monitoring system health, or investigating incidents. Handles various log formats including Apache, Nginx, application logs, and JSON logs.

335 Updated today
aiskillstore
AI & Automation Solid

analyzing-api-gateway-access-logs

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

12,642 Updated today
mukul975