Linux安全运维日志排查几个 tips
2015-12-13 16:01
513 查看
运维日志排查记录
前言
记录一些排查常见日志的命令,方法wiki,欢迎补充(Markdown 语法)。常用命令
查找关键词并统计行数cat 2015_7_25_test_access.log | grep "sqlmap" | wc -l
删除含有匹配字符的行
sed -i '/Indy Library/d' 2015_7_25_test_access.log
查找所有日志中的关键词
find ./ -name "*.log" |xargs grep "sqlmap" |wc -l
获取特殊行(如id)并且排序统计
cat cszl988.log | awk '{print $1}' | awk -F : '{print $2}' | sort -u | wc -l
正则匹配内容(如提取ip)
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
去重并统计数量
tail 3.log | awk '{print $7}' | sort | uniq -c
批量提取(全流量中)数据包并且过滤数据
#!/bin/bash for file in ` ls $1 ` do parse_pcap -vvb $file | grep -v "Host:" | grep -v "Cookie:" | grep -v "User-Agent:" | grep -v "Accept:" | grep -v "Accept:" | grep -v "Accept-Language:" | grep -v "Accept-Encoding:" | grep -v "Connection:" | grep -v "Content-Type:" | grep -v "Content-Length" | grep -v "Server" done
url 解码
cat luban.log | grep sqlmap | awk '{print $7}' | xargs python -c 'import sys, urllib; print urllib.unquote(sys.argv[1])'
欢迎补充....
示范:xxxx站注入日志排查
查看所有sqlmap注入记录条数[root@pentest temp]# cat luban.log | grep sqlmap | wc -l 1241
预览几条url
cat luban.log | grep sqlmap | awk '{print $7}' | more /news.php?id=771%28.%28%22%29.%27%29%29%27&fid=168 /news.php?id=771%27IddP%3C%27%22%3EvCBw&fid=168 /news.php?id=771%29%20AND%201148%3D8887%20AND%20%288975%3D8975&fid=168 /news.php?id=771%29%20AND%208790%3D8790%20AND%20%287928%3D7928&fid=168 /news.php?id=771%20AND%204294%3D9647&fid=168 /news.php?id=771%20AND%208790%3D8790&fid=168 /news.php?id=771%27%29%20AND%205983%3D7073%20AND%20%28%27UwRr%27%3D%27UwRr&fid=168 /news.php?id=771%27%29%20AND%208790%3D8790%20AND%20%28%27hwaT%27%3D%27hwaT&fid=168 /news.php?id=771%27%20AND%206578%3D7565%20AND%20%27EoTZ%27%3D%27EoTZ&fid=168 /news.php?id=771%27%20AND%208790%3D8790%20AND%20%27lBdL%27%3D%27lBdL&fid=168 /news.php?id=771%25%27%20AND%205177%3D1107%20AND%20%27%25%27%3D%27&fid=168 /news.php?id=771%25%27%20AND%208790%3D8790%20AND%20%27%25%27%3D%27&fid=168
方便查看 urldecode
cat luban.log | grep sqlmap | awk '{print $7}' | xargs python -c 'import sys, urllib; print urllib.unquote(sys.argv[1])' /news.php?id=771&fid=168 /news.php?id=771&fid=168 AND ASCII(SUBSTRING((SELECT DISTINCT(COALESCE(CAST(schemaname AS CHARACTER(10000)),(CHR(32)))) FROM pg_tables OFFSET 1 LIMIT 1)::text FROM 3 FOR 1))> 97 /news.php?id=771&fid=168 UNION ALL SELECT NULL,(CHR(113)||CHR(122)||CHR(106)||CHR(120)||CHR(113))||(CHR(103)||CHR(75)||CHR(78)||CHR(87)||CHR(76)||CHR(74)||CHR(110)||CHR(1 15)||CHR(100)||CHR(85))||(CHR(113)||CHR(122)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL,NULL,NULL,NULL,NULL UNION ALL SELECT NULL,(CHR(113)||CHR(122)||CHR(106)||CHR(120)||CHR(113))||(CHR(113)||CHR(71)||C HR(74)||CHR(82)||CHR(101)||CHR(120)||CHR(69)||CHR(112)||CHR(117)||CHR(79))||(CHR(113)||CHR(122)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
相关文章推荐
- Linux常用配置汇总(Centos 7及Debian 8)
- Linux 防火墙配置
- 深入理解Linux修改hostname
- Linux更新Python版本及修改python默认版本的方法
- Linux下头文件搜索路径
- linux的设置ip连接crt,修改主机名,映射,建文件
- Linux常用命令大全
- centos7 postgres9.4 安装设置
- Linux下各目录介绍
- (RedHat)Linux 开启telnet服务
- Linux学习【菜鸟篇】- 学习笔记- 打包压缩解压
- Ubuntu 上 hi3531 交叉编译环境 arm-hisiv100nptl-linux 建设过程
- centos7 firewalld配置示例
- CentOS 7 下使用 Firewall
- linux用户及权限管理-学习总结
- Linux用户及权限管理
- centos下安装mysql
- mysql 创建删除数据库(linux)
- C/C++ Linux 的C开发中的环境变量
- Linux 下C语言 指针学习 二 (数组与指针)