Skill

analyzing-web-server-logs-for-intrusion

Parses Apache and Nginx access logs to detect SQLi, LFI, scanners, and brute-force using OWASP regex patterns, GeoIP enrichment, and request anomaly detection.

Python

Nginx

Bash

security

monitoring

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing web server logs for intrusion

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing Web Server Logs for Intrusion

When to Use

When investigating security incidents that require analyzing web server logs for intrusion
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install geoip2 user-agents
Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
Apply detection rules:
- SQL injection: UNION SELECT, OR 1=1, ' OR ', hex encoding patterns
- LFI/Path traversal: ../, /etc/passwd, /proc/self, php://filter
- XSS: <script>, javascript:, onerror=, onload=
- Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
- Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
Enrich with GeoIP data and generate a prioritized findings report.

python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

Detect SQLi in URI

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0