본문 바로가기

[혁신성장 청년인재] 인공지능을 활용한 보안전문가 양성과정

DAY63 : 시스템 로그 데이터 분석

쉘 프로그래밍 관련 아래 글 참고

2020/07/27 - [[혁신성장 청년인재] 인공지능을 활용한 보안전문가 양성과정] - Day13: 리눅스 관리자 | FTP | NFS | 쉘프로그래밍

 

Day13: 리눅스 관리자 | FTP | NFS | 쉘프로그래밍

시작부터 반성 원래 당일 배운거 당일 정리를 해야 하는데, 귀찮아서 미뤘더니 하루만에 다 까먹어버렸다. 그렇게 이틀이 지나고 주말이 지나버려서 뭘 배웠는지 그 생생한 기억을 다 잊어버렸�

rich-developer.tistory.com


1. 시스템 상에 기록된 lastb 로그파일 분석해보기 (lastb 파일 첨부)

lastb 파일 미리보기 -->

더보기

user     ssh:notty    192.168.110.200  Mon Oct  5 17:25 - 17:25  (00:00)    
user     ssh:notty    192.168.110.200  Mon Oct  5 17:13 - 17:13  (00:00)    
user     ssh:notty    192.168.110.200  Mon Oct  5 17:13 - 17:13  (00:00)    
user     ssh:notty    192.168.110.200  Mon Oct  5 17:13 - 17:13  (00:00)    
user     ssh:notty    192.168.110.200  Mon Oct  5 17:09 - 17:09  (00:00)    
user     ssh:notty    192.168.110.136  Mon Oct  5 17:08 - 17:08  (00:00)    
user     ssh:notty    192.168.110.136  Mon Oct  5 17:07 - 17:07  (00:00)    
userhat  ssh:notty    192.168.110.136  Mon Oct  5 16:27 - 16:27  (00:00)    
userhat  ssh:notty    192.168.110.136  Mon Oct  5 16:27 - 16:27  (00:00)    
userhat  ssh:notty    192.168.110.100  Mon Oct  5 16:27 - 16:27  (00:00)    
userhat  ssh:notty    192.168.110.100  Mon Oct  5 16:26 - 16:26  (00:00)    
userhat  ssh:notty    192.168.110.100  Mon Oct  5 16:26 - 16:26  (00:00)    
user     ssh:notty    192.168.110.110  Mon Oct  5 17:13 - 17:13  (00:00)    
user     ssh:notty    192.168.110.110  Mon Oct  5 17:09 - 17:09  (00:00)    
user     ssh:notty    192.168.110.110  Mon Oct  5 17:08 - 17:08  (00:00)    
user     ssh:notty    192.168.110.110  Mon Oct  5 17:07 - 17:07  (00:00)     
userman  ssh:notty    192.168.110.110  Mon Oct  5 16:26 - 16:26  (00:00)    
userman  ssh:notty    192.168.110.110  Mon Oct  5 16:25 - 16:25  (00:00)    
userman  ssh:notty    192.168.110.110  Mon Oct  5 16:25 - 16:25  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)
userman  ssh:notty    192.168.110.136  Mon Oct  5 16:25 - 16:25  (00:00)    
userman  ssh:notty    192.168.110.136  Mon Oct  5 16:25 - 16:25  (00:00)    
userman  ssh:notty    192.168.110.136  Mon Oct  5 16:25 - 16:25  (00:00)    
userman  ssh:notty    192.168.110.136  Mon Oct  5 16:25 - 16:25  (00:00)    
userman  ssh:notty    192.168.110.136  Mon Oct  5 16:24 - 16:24  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)
userhat  ssh:notty    192.168.110.136  Mon Oct  5 16:26 - 16:26  (00:00)    
userhat  ssh:notty    192.168.110.136  Mon Oct  5 16:26 - 16:26  (00:00)    
test     ssh:notty    localhost        Mon Oct  5 16:23 - 16:23  (00:00)    
root     :0           :0               Mon Oct  5 11:02 - 11:02  (00:00)    

btmp begins Mon Oct  5 11:02:02 2020

lastb.txt
0.00MB

 - user 별로 몇 번 로그인했는지 확인하기

[admin@localhost Desktop]$ cut -d " " -f 1 lastb.txt | grep ^[a-z] | awk '{print $1}' | sort -n | uniq -c
      1 btmp
      1 root
      6 test
     11 user
      7 userhat
      8 userman

 

 - IP별로 몇 번 로그인했는지 확인하기

[admin@localhost Desktop]$ awk '{print $3}' lastb.txt| grep ^[0-9] | sort -n | uniq -c
      3 192.168.110.100
      7 192.168.110.110
     11 192.168.110.136
      5 192.168.110.200

2. 웹서비스(아파치) 로그 분석

로그를 만들다가, 그냥 로그를 구글링해서 찾았어요

gist.github.com/rm-hull/bd60aed44024e9986e3c

 

Publicly available access.log datasets

Publicly available access.log datasets. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

access.log
2.52MB
error.log
1.26MB

1. 정상적인 접속(200)인 IP만 출력하기

$ awk '$9 = 200 {print $1}' access.log |grep ^[0-9] | sort -n | uniq -c
     10 2.134.205.87
      2 2.60.195.241
      1 2.86.149.141
      2 2.92.107.146
      2 2.92.97.180
      4 2.93.102.73
      2 2.93.147.171
      2 2.93.161.253
      2 2.93.199.113
      2 2.93.207.131
      4 2.93.207.163
      2 2.93.207.249
      2 2.93.207.51
      2 2.93.207.76
      2 2.93.207.80
     26 2.93.22.237

 

2. GET요청만 출력하기

$ head -10 access.log | sed "s/\"/ /g" | awk '$6 = "GET" {print $1, $6,$7}' | sort -n | uniq -c
 GET  1 
      1 46.72.177.4 GET /administrator/
      1 46.72.177.4 GET /administrator/index.php
      1 83.167.113.100 GET /administrator/
      1 83.167.113.100 GET /administrator/index.php
      1 95.29.198.15 GET /administrator/
      1 95.29.198.15 GET /administrator/index.php
      1 109.169.248.247 GET /administrator/
      1 109.169.248.247 GET /administrator/index.php
      1 109.184.11.34 GET /administrator/

 

3. 요청 파라미터 출력하기

$ sed 's/^"//g' access.log | awk -F\" '{print $2}'
GET / HTTP/1.1
GET /templates/_system/css/general.css HTTP/1.1
GET /templates/jp_hotel/images/logo.jpg HTTP/1.1
GET /images/stories/raith/almhuette_raith.jpg HTTP/1.1
GET /images/stories/raith/almenland_logo.jpg HTTP/1.1
GET /images/stories/raith/wohnraum.jpg HTTP/1.1
GET /index.php?option=com_content&view=article&id=49&Itemid=55 HTTP/1.1

 

4. OS COMMAND INJECTION 검토 (../../)

sed 's/^"//g' web_scanner_access.log | awk -F\" '{print $2}' | fgrep ../
GET /index.php/component/search/?ordering=../../../../../../../../../../etc/passwd%00.jpg&searchphrase=any&searchword= HTTP/1.1
GET /index.php/component/search/?ordering=alpha&searchphrase=../../../../../../../../../../etc/passwd&searchword= HTTP/1.1
GET /index.php/component/../../../../../../../../../../etc/passwd/ HTTP/1.1
GET /index.php?option=../../../../../../../../../../etc/passwd%00.jpg HTTP/1.1
GET /index.php/component/search/?ordering=../../../../../../../../../../../../../../../proc/version&searchphrase=all&searchword= HTTP/1.1
GET /index.php/component/search/?ordering=oldest&searchphrase=all&searchword=/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd HTTP/1.1
GET /DVWA/vulnerabilities/fi?page=/.././.././.././.././.././.././.././../etc/./passwd%2500 HTTP/1.1
GET /index.php/component/search/?ordering=oldest&searchphrase=any&searchword=../../../../../../../../../../etc/passwd HTTP/1.1

 

5. SQL INJECTION 검토

egrep -e 'union|select|char' web_scanner_access.log | awk -F\" '{print $3}'

 

6. JSON 파일로 저장하기

$ sed 's/\"//g' access.log | grep ^[0-9]| 
 awk '{print "\""NR"\":{\"IP\":\""$1 "\", \"METHOD\":\""$6"\"},"}' > json_access.log 

$ head json_access.log 
{ "1":{"IP":"109.169.248.247", "METHOD":"GET"},
"2":{"IP":"109.169.248.247", "METHOD":"POST"},
"3":{"IP":"46.72.177.4", "METHOD":"GET"},
"4":{"IP":"46.72.177.4", "METHOD":"POST"},
"5":{"IP":"83.167.113.100", "METHOD":"GET"},

$ tail json_access.log 
"10948":{"IP":"212.95.7.66", "METHOD":"GET"},
"10949":{"IP":"212.95.7.66", "METHOD":"GET"},
"10950":{"IP":"212.95.7.66", "METHOD":"GET"},
"10951":{"IP":"212.95.7.66", "METHOD":"GET"},
"10952":{"IP":"212.95.7.66", "METHOD":"GET"},
"10953":{"IP":"212.95.7.66", "METHOD":"GET"},
"10954":{"IP":"212.95.7.66", "METHOD":"GET"},
"10955":{"IP":"212.95.7.66", "METHOD":"GET"},
"10956":{"IP":"212.95.7.66", "METHOD":"GET"}
}

$ python -m json.tool json_access.log 
$
    "1": {$
        "IP": "109.169.248.247",$
        "METHOD": "GET"$
    },$
    "10": {$
        "IP": "109.184.11.34",$
        "METHOD": "POST"$
    },$
    "100": {$
        "IP": "83.167.113.100",$
        "METHOD": "GET"$
    },$
    "1000": {$
        "IP": "93.185.22.218",$
        "METHOD": "POST"$
    },$
    "10000": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "10001": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "10002": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
...
    "9995": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "9996": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "9997": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "9998": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    },$
    "9999": {$
        "IP": "80.110.186.51",$
        "METHOD": "GET"$
    }$
}$
     


 

반응형