#!/usr/bin/env bashecho ""
echo " ========================================================= "
echo " \                 Nginx日志安全分析腳本 V1.0            / "
echo " ========================================================= "
echo " # 支持Nginx日志分析，攻擊告警分析等                    "
echo " # author：al0ne                    "
echo " # https://github.com/al0ne                    "
echo -e "\n"#此腳本是參考nmgxy/klionsec修改而來,重新添加了一些特征，只用來臨時救急，還是推薦到ELK或者Splunk中分析#功能
###統計Top 20 地址
###SQL注入分析
###SQL注入 FROM查詢統計
###掃描器/常用黑客工具
###漏洞利用檢測
###敏感路徑訪問
###文件包含攻擊
###HTTP Tunnel
###Webshell
###尋找響應長度的url Top 20
###尋找罕見的腳本文件訪問
###尋找302跳轉的腳本文件#如果存在多個access文件或者有多個access.x.gz 建議先zcat access*.gz >> access.log文件中
#設置分析結果存儲目錄,結尾不能加/
outfile=/tmp/logs
#如果目錄以存在則清空，未存在則新建目錄
if [ -d $outfile ]; thenrm -rf $outfile/*
elsemkdir -p $outfile
fi
#設置nginx日志目錄，結尾必須加/
access_dir=/usr/local/nginx/logs/
#設置文件名，如果文件名為access那么匹配的是access*文件
access_log=access
#判斷日志文件是否存在
num=$(ls ${access_dir}${access_log}* | wc -l) >/dev/null 2>&1
if [ $num -eq 0 ]; thenecho '日志文件不存在'exit 1
fi
echo -e "\n"# 驗證操作系統是debian系還是centos
OS='None'
if [ -e "/etc/os-release" ]; thensource /etc/os-releasecase ${ID} in"debian" | "ubuntu" | "devuan")OS='Debian';;"centos" | "rhel fedora" | "rhel")OS='Centos';;*) ;;esac
fiif [ $OS = 'None' ]; thenif command -v apt-get >/dev/null 2>&1; thenOS='Debian'elif command -v yum >/dev/null 2>&1; thenOS='Centos'elseecho -e "\n不支持這個系統\n"echo -e "已退出"exit 1fi
fi# 檢測ag軟件有沒有安裝
if ag -V >/dev/null 2>&1; thenecho -e "\e[00;32msilversearcher-ag已安裝 \e[00m"
elseif [ $OS = 'Centos' ]; thenyum -y install the_silver_searcher >/dev/null 2>&1elseapt-get -y install silversearcher-ag >/dev/null 2>&1fifi
#如果檢測別的日志請手動替換偏移，例如awk的$7代表url，$9代表狀態碼，$10代表長度,本腳本是以nginx日志為基礎echo "分析結果日志：${outfile}"
echo "Nginx日志目錄：${access_dir}"
echo "Nginx文件名：${access_log}"
echo -e "\n"echo -e "\e[00;31m[+]TOP 20 IP 地址\e[00m"
ag -a -o --nofilename '((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}' ${access_dir}${access_log}* | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/top20.log
echo -e "\n"echo -e "\e[00;31m[+]SQL注入攻擊分析\e[00m"
#在SQL注入中排除掉了一些掃描css/js/png圖片類等無用告警，并且重點篩選狀態碼200或者500的告警
ag -a "xp_cmdshell|%20xor|%20and|%20AND|%20or|%20OR|select%20|%20and%201=1|%20and%201=2|%20from|%27exec|information_schema.tables|load_file|benchmark|substring|table_name|table_schema|%20where%20|%20union%20|%20UNION%20|concat\(|concat_ws\(|%20group%20|0x5f|0x7e|0x7c|0x27|%20limit|\bcurrent_user\b|%20LIMIT|version%28|version\(|database%28|database\(|user%28|user\(|%20extractvalue|%updatexml|rand\(0\)\*2|%20group%20by%20x|%20NULL%2C|sqlmap" ${access_dir}${access_log}* | ag -v '/\w+\.(?:js|css|html|jpg|jpeg|png|htm|swf)(?:\?| )' | awk '($9==200)||($9==500) {print $0}' >${outfile}/sql.log
awk '{print "SQL注入攻擊" NR"次"}' ${outfile}/sql.log | tail -n1
echo "SQL注入 TOP 20 IP地址"
ag -o '(?<=:)((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}' ${outfile}/sql.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/sql_top20.log
# 重點關注from查詢，是否存在脫褲行為，排除掃描行為
echo "SQL注入 FROM 查詢"
cat ${outfile}/sql.log | ag '\bfrom\b' | ag -v 'information_schema' >${outfile}/sql_from_query.log
awk '{print "SQL注入FROM查詢" NR"次"}' ${outfile}/sql_from_query.log | tail -n1
echo -e "\n"echo -e "\e[00;31m[+]掃描器scan & 黑客工具\e[00m"
ag -a "acunetix|by_wvs|nikto|netsparker|HP404|nsfocus|WebCruiser|owasp|nmap|nessus|HEAD /|AppScan|burpsuite|w3af|ZAP|openVAS|.+avij|.+angolin|360webscan|webscan|XSS@HERE|XSS%40HERE|NOSEC.JSky|wwwscan|wscan|antSword|WebVulnScan|WebInspect|ltx71|masscan|python-requests|Python-urllib|WinHttpRequest" ${access_dir}${access_log}* | ag -v '/\w+\.(?:js|css|jpg|jpeg|png|swf)(?:\?| )' | awk '($9==200)||($9==500) {print $0}' >${outfile}/scan.log
awk '{print "共檢測到掃描攻擊" NR"次"}' ${outfile}/scan.log | tail -n1
echo "掃描工具流量 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/scan.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/scan_top20.log
echo -e "\n"echo -e "\e[00;31m[+]敏感路徑訪問\e[00m"
ag -a "/_cat/|/_config/|include=|phpinfo|info\.php|/web-console|JMXInvokerServlet|/manager/html|axis2-admin|axis2-web|phpMyAdmin|phpmyadmin|/admin-console|/jmx-console|/console/|\.tar.gz|\.tar|\.tar.xz|\.xz|\.zip|\.rar|\.mdb|\.inc|\.sql|/\.config\b|\.bak|/.svn/|/\.git/|\.hg|\.DS_Store|\.htaccess|nginx\.conf|\.bash_history|/CVS/|\.bak|wwwroot|備份|/Web.config|/web.config|/1.txt|/test.txt" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/dir.log
awk '{print "共檢測到針對敏感文件掃描" NR"次"}' ${outfile}/dir.log | tail -n1
echo "敏感文件訪問流量 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/dir.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/dir_top20.log
echo -e "\n"echo -e "\e[00;31m[+]漏洞利用檢測\e[00m"
ag -a "%00|/win.ini|/my.ini|\.\./\.\./|/etc/shadow|%0D%0A|file:/|gopher:/|dict:/|WindowsPowerShell|/wls-wsat/|call_user_func_array|uddiexplorer|@DEFAULT_MEMBER_ACCESS|@java\.lang\.Runtime|OgnlContext|/bin/bash|cmd\.exe|wget\s|curl\s|s=/index/\think" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/exploit.log
awk '{print "漏洞利用探測" NR"次"}' ${outfile}/exploit.log | tail -n1
echo "漏洞利用檢測 TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/exploit.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/exploit_top20.log
echo -e "\n"echo -e "\e[00;31m[+]webshell\e[00m"
ag -a "=whoami|dbname=|exec=|cmd=|\br57\b|\bc99\b|\bc100\b|\bb374k\b|adminer.php|eval\(|assert\(|%eval|%execute|tunnel\.[asp|php|jsp|aspx]{3,4}|makewebtaski|ma\.[asp|php|jsp|aspx]{3,4}|\bup\.[asp|php|jsp|aspx]{3,4}|cmd\.[asp|php|jsp|aspx]{3,4}|201\d\.[asp|php|jsp|aspx]{3,4}|xiaoma\.[asp|php|jsp|aspx]{3,4}|shell\.[asp|php|jsp|aspx]{3,4}|404\.[asp|php|jsp|aspx]{3,4}|tom\.[asp|php|jsp|aspx]{3,4}|k8cmd\.[asp|php|jsp|aspx]{3,4}|ver[0-9]{3,4}\.[asp|php|jsp|aspx]{3,4}|\.aar|[asp|php|jsp|aspx]{3,4}spy\.|o=vLogin|aioshell|admine|ghost\.[asp|php|jsp|aspx]{3,4}|r00ts|90sec|t00ls|editor\.aspx|wso\.[asp|aspx]{3,4}" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' >${outfile}/webshell.log
awk '{print "共檢測到webshell行為" NR "次"}' ${outfile}/webshell.log | tail -n1
echo "Webshell TOP 20"
ag -o '(?<=:)\d+\.\d+\.\d+\.\d+' ${outfile}/webshell.log | sort | uniq -c | sort -nr | head -n 20 | tee -a ${outfile}/webshell_top20.log
echo -e "\n"echo -e "\e[00;31m[+]HTTP Tunnel\e[00m"
#Regeorg代理特征
ag -a "cmd=disconnect|cmd=read|cmd=forward|cmd=connect|127.0.0.1" ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $0}' | tee -a ${outfile}/tunnel.log
awk '{print "共檢測到隧道行為" NR "次"}' ${outfile}/tunnel.log | tail -n1
echo -e "\n"echo -e "\e[00;31m[+]Top 20 url響應長度\e[00m"
# 查找url響應長度最長的url排序，目的是有沒有下載服務器的一些打包文件
len=$(cat ${access_dir}${access_log}* | awk '{print $10}' | sort -nr | head -n 20)
echo $len | awk 'BEGIN{ RS=" " }{ print $0 }' | xargs -i{} ag -a --nocolor '\d+\s{}\s' ${access_dir}${access_log}* | awk '{print $7,$10}' | sort | uniq | sort -k 2 -nr | tee -a ${outfile}/url_rsp_len.log
echo -e "\n"echo -e "\e[00;31m[+]罕見的腳本文件訪問\e[00m"
echo "訪問量特別特別少的腳本文件極有可能是webshell"
cat ${access_dir}${access_log}* | awk '($9==200)||($9==500) {print $7}' | sort | uniq -c | sort -n | ag -v '\?' | ag '\.php|\.jsp|\.asp|\.aspx' | head -n 20 | tee -a ${outfile}/rare_url.log
echo -e "\n"echo -e "\e[00;31m[+]302跳轉\e[00m"
echo "此目的是尋找一些登錄成功的腳本文件"
cat ${access_dir}${access_log}* | awk '($9==302)||($9==301) {print $7}' | sort | uniq -c | sort -n | ag -v '\?' | ag '\.php|\.jsp|\.asp|\.aspx' | head -n 20 | tee -a ${outfile}/302_goto.log
echo -e "\n"