#!/bin/bash # # Historical Attack Log Analyzer # Scans past Apache/Nginx logs for attack patterns using ET Open signatures # # Usage: bash analyze-historical-attacks.sh [options] # # Options: # -d DAYS Analyze logs from last N days (default: 7) # -l LOGFILE Analyze specific log file # -o OUTPUT Output report file (default: /tmp/attack-analysis-TIMESTAMP.txt) # -t THRESHOLD Minimum threat score to report (default: 50) # -v Verbose mode (show all attacks) # -h Show help # Get script directory SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/.." # Source required libraries source "$SCRIPT_DIR/lib/attack-signatures.sh" 2>/dev/null || { echo "ERROR: attack-signatures.sh not found" exit 1 } source "$SCRIPT_DIR/lib/http-attack-analyzer.sh" 2>/dev/null || { echo "ERROR: http-attack-analyzer.sh not found" exit 1 } # Colors RED='\033[0;31m' YELLOW='\033[1;33m' GREEN='\033[0;32m' BLUE='\033[0;34m' CYAN='\033[0;36m' BOLD='\033[1m' NC='\033[0m' # Default options DAYS=7 LOG_FILE="" OUTPUT_FILE="/tmp/attack-analysis-$(date +%Y%m%d_%H%M%S).txt" THRESHOLD=50 VERBOSE=0 # Parse command line arguments while getopts "d:l:o:t:vh" opt; do case $opt in d) DAYS="$OPTARG" ;; l) LOG_FILE="$OPTARG" ;; o) OUTPUT_FILE="$OPTARG" ;; t) THRESHOLD="$OPTARG" ;; v) VERBOSE=1 ;; h) cat << EOF Historical Attack Log Analyzer Scans past Apache/Nginx logs for attack patterns using ET Open signatures Usage: $0 [options] Options: -d DAYS Analyze logs from last N days (default: 7) -l LOGFILE Analyze specific log file -o OUTPUT Output report file (default: /tmp/attack-analysis-TIMESTAMP.txt) -t THRESHOLD Minimum threat score to report (default: 50) -v Verbose mode (show all attacks) -h Show this help Examples: # Analyze last 7 days $0 # Analyze last 30 days $0 -d 30 # Analyze specific log file $0 -l /var/log/apache2/access.log # Show all attacks (including low severity) $0 -t 0 -v # Save report to custom location $0 -o /root/attack-report.txt EOF exit 0 ;; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 ;; esac done echo "================================================================================ " echo -e "${CYAN}${BOLD}Historical Attack Log Analyzer${NC}" echo "Powered by Emerging Threats Open Ruleset" echo "================================================================================ " # Find log files to analyze LOG_FILES=() if [ -n "$LOG_FILE" ]; then # Specific log file provided if [ ! -f "$LOG_FILE" ]; then echo -e "${RED}ERROR: Log file not found: $LOG_FILE${NC}" exit 1 fi LOG_FILES=("$LOG_FILE") echo -e "${GREEN}✓${NC} Analyzing specific file: $LOG_FILE" else # Auto-detect log files echo -e "${BLUE}[*]${NC} Searching for Apache/Nginx log files..." # Common log locations SEARCH_PATHS=( "/var/log/apache2" "/var/log/httpd" "/usr/local/apache/logs" "/var/log/nginx" "/usr/local/apache/domlogs" ) for path in "${SEARCH_PATHS[@]}"; do if [ -d "$path" ]; then # Find access logs modified in last N days while IFS= read -r log; do LOG_FILES+=("$log") done < <(find "$path" -type f \( -name "access*.log*" -o -name "access_log*" -o -name "*.com" -o -name "*.net" -o -name "*.org" \) -mtime -"$DAYS" 2>/dev/null) fi done if [ ${#LOG_FILES[@]} -eq 0 ]; then echo -e "${RED}ERROR: No log files found in last $DAYS days${NC}" exit 1 fi echo -e "${GREEN}✓${NC} Found ${#LOG_FILES[@]} log files from last $DAYS days" fi # Initialize counters TOTAL_LINES=0 TOTAL_ATTACKS=0 CRITICAL_ATTACKS=0 HIGH_ATTACKS=0 MEDIUM_ATTACKS=0 declare -A ATTACK_TYPES declare -A TOP_ATTACKERS declare -A SIGNATURE_HITS # Progress indicator show_progress() { local count=$1 local total=$2 local percent=$((count * 100 / total)) echo -ne "\r${BLUE}[*]${NC} Processing: $count/$total lines ($percent%) " } # Start analysis echo "" echo -e "${BLUE}[*]${NC} Starting analysis (Threshold: $THRESHOLD)..." echo "" { # Write report header echo "================================================================================ " echo "HISTORICAL ATTACK ANALYSIS REPORT" echo "Generated: $(date)" echo "Period: Last $DAYS days" echo "Threshold: $THRESHOLD" echo "================================================================================ " echo "" # Analyze each log file for log_file in "${LOG_FILES[@]}"; do echo "[*] Analyzing: $log_file" # Handle compressed logs if [[ "$log_file" =~ \.gz$ ]]; then CAT_CMD="zcat" elif [[ "$log_file" =~ \.bz2$ ]]; then CAT_CMD="bzcat" else CAT_CMD="cat" fi local file_attacks=0 local line_count=0 while IFS= read -r line; do line_count=$((line_count + 1)) TOTAL_LINES=$((TOTAL_LINES + 1)) # Show progress every 1000 lines if [ $((line_count % 1000)) -eq 0 ]; then show_progress "$TOTAL_LINES" "unknown" fi # Analyze line local result=$(analyze_http_log_line "$line" 2>/dev/null) local threat_score="${result%%||*}" if [ "$threat_score" -ge "$THRESHOLD" ]; then local temp="${result#*||}" local attack_types="${temp%%||*}" temp="${temp#*||}" local signatures="${temp%%||*}" temp="${temp#*||}" local ip="${temp%%||*}" local uri="${temp#*||}" # Count attacks TOTAL_ATTACKS=$((TOTAL_ATTACKS + 1)) file_attacks=$((file_attacks + 1)) # Categorize by severity if [ "$threat_score" -ge 85 ]; then CRITICAL_ATTACKS=$((CRITICAL_ATTACKS + 1)) elif [ "$threat_score" -ge 70 ]; then HIGH_ATTACKS=$((HIGH_ATTACKS + 1)) elif [ "$threat_score" -ge 50 ]; then MEDIUM_ATTACKS=$((MEDIUM_ATTACKS + 1)) fi # Track attack types IFS=',' read -ra types <<< "$attack_types" for type in "${types[@]}"; do ATTACK_TYPES["$type"]=$((${ATTACK_TYPES[$type]:-0} + 1)) done # Track top attackers TOP_ATTACKERS["$ip"]=$((${TOP_ATTACKERS[$ip]:-0} + threat_score)) # Track signatures IFS=',' read -ra sigs <<< "$signatures" for sig in "${sigs[@]}"; do SIGNATURE_HITS["$sig"]=$((${SIGNATURE_HITS[$sig]:-0} + 1)) done # Log if verbose or critical if [ "$VERBOSE" -eq 1 ] || [ "$threat_score" -ge 85 ]; then echo "" >> "$OUTPUT_FILE" echo "[Score: $threat_score] $ip → $attack_types" >> "$OUTPUT_FILE" echo " URI: ${uri:0:150}" >> "$OUTPUT_FILE" echo " Signatures: $signatures" >> "$OUTPUT_FILE" fi fi done < <($CAT_CMD "$log_file" 2>/dev/null) echo " → Found $file_attacks attacks" >> "$OUTPUT_FILE" done echo "" >> "$OUTPUT_FILE" echo "================================================================================ " >> "$OUTPUT_FILE" echo "SUMMARY STATISTICS" >> "$OUTPUT_FILE" echo "================================================================================ " >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "Total lines processed: $TOTAL_LINES" >> "$OUTPUT_FILE" echo "Total attacks detected: $TOTAL_ATTACKS" >> "$OUTPUT_FILE" echo " - Critical (≥85): $CRITICAL_ATTACKS" >> "$OUTPUT_FILE" echo " - High (70-84): $HIGH_ATTACKS" >> "$OUTPUT_FILE" echo " - Medium (50-69): $MEDIUM_ATTACKS" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # Top Attack Types echo "Top Attack Types:" >> "$OUTPUT_FILE" for type in "${!ATTACK_TYPES[@]}"; do echo "$type:${ATTACK_TYPES[$type]}" done | sort -t: -k2 -nr | head -15 | while IFS=: read -r type count; do printf " %-20s %5d attacks\n" "$type" "$count" >> "$OUTPUT_FILE" done echo "" >> "$OUTPUT_FILE" # Top Attackers echo "Top 20 Attacking IPs (by cumulative threat score):" >> "$OUTPUT_FILE" for ip in "${!TOP_ATTACKERS[@]}"; do echo "$ip:${TOP_ATTACKERS[$ip]}" done | sort -t: -k2 -nr | head -20 | while IFS=: read -r ip score; do printf " %-15s Score: %5d\n" "$ip" "$score" >> "$OUTPUT_FILE" done echo "" >> "$OUTPUT_FILE" # Top Signatures echo "Top 20 Triggered Signatures:" >> "$OUTPUT_FILE" for sig in "${!SIGNATURE_HITS[@]}"; do echo "$sig:${SIGNATURE_HITS[$sig]}" done | sort -t: -k2 -nr | head -20 | while IFS=: read -r sig count; do printf " %-30s %5d hits\n" "$sig" "$count" >> "$OUTPUT_FILE" done echo "" >> "$OUTPUT_FILE" echo "================================================================================ " >> "$OUTPUT_FILE" echo "END OF REPORT" >> "$OUTPUT_FILE" echo "================================================================================ " >> "$OUTPUT_FILE" } > "$OUTPUT_FILE" # Clear progress line echo -ne "\r\033[K" # Display summary to terminal echo "" echo -e "${GREEN}✓${NC} Analysis complete!" echo "" echo "Summary:" echo " Lines processed: $TOTAL_LINES" echo " Attacks detected: $TOTAL_ATTACKS" echo " - Critical (≥85): $CRITICAL_ATTACKS" echo " - High (70-84): $HIGH_ATTACKS" echo " - Medium (50-69): $MEDIUM_ATTACKS" echo "" echo -e "${GREEN}✓${NC} Full report saved to: $OUTPUT_FILE" echo "" # Offer to view report read -p "View report now? [y/N]: " view_report if [[ "$view_report" =~ ^[Yy]$ ]]; then less "$OUTPUT_FILE" fi