#!/usr/local/bin/bash # Amiri@abysssec.com ds="`date | cut -d " " -f 4`" echo "starter @ $ds" > /tmp/time.txt #### # for getting ips and path logs at first i should find nom of ips then for each ip getting paths # but first checking rescords of ips and after it getting paths # #################################### clear log="/var/log/httpd-error.log" acc="/var/log/httpd-access.log" bad_req[1]="denied" bad_req[2]="Directory" bad_req[3]="File" bad_req[4]="php?act=" bad_req[5]="SEARCH /\x90\xc9" temp_log="/tmp/temp_log.log" ip_log="/tmp/ip_log.txt" ip_list="/tmp/ip_list.txt" ip_sort="/tmp/ip_sort.txt" detailes="/tmp/details.txt" rm $temp_log touch $temp_log rm $ip_log touch $ip_log rm $ip_list touch $ip_list rm $ip_sort touch $ip_sort rm $detailes touch $detailes cat $log $acc >> $temp_log ################################### clear echo "Starting with PID $$" echo "===============================================" data_reading(){ echo "Step 1 Getting ips this may take a while" log_nom="`cat $log | grep client | grep -v "192.168" | wc -l`" acc_nom="`cat $acc | grep -v "192.168" | cut -d "-" -f 1 | wc -l`" let "totalnom=$log_nom + $acc_nom + 1" # summation of all log noms ipl="`cat $log | grep client | grep -v "192.168" | cut -d "]" -f 3 | cut -d "[" -f 2 | cut -d " " -f 2 `" ipa="`cat $acc | grep "." | grep -v "192.168" | cut -d "-" -f 1`" printf "$ipl\n" >> $ip_log printf "$ipa\n" >> $ip_log echo "Step 2 Reading ips done now getting reqest numbers per ip" echo -e "\033[1;31m$log_nom ips for \033[1;40m$log\033[0;0m \033[1;36m$acc_nom\033[0;0m ips for \033[1;40m$acc\033[0;0m" echo "===============================================" echo "Step 3 Sorting Ips now for $totalnom IPs" sort $ip_log > $ip_sort # sorting ips rm $ip_log echo "Sorting done going to read line by line" cat $ip_sort | while read line ;do let "l=l+1" printf "ip[$l]=$line\n" >> $ip_list done rm $ip_sort echo "Reading done line by line done " echo "===============================================" } get_ip(){ ipt=0 let "tnom=$totalnom+1" for ((i=1 ; i < $tnom ; i++));do let "j=$i+1" # first reading onest ip then checking for rep number ! summation of this is a jumping :d # then i can do that : jumping to the next ip >> all ips has been sorted ip[$i]="`grep "\["$i"\]" "$ip_list" | grep "." | cut -d "=" -f2`" jump="`grep -w ${ip[$i]} "$ip_list" | cut -d "=" -f2 | wc -l`" let "rep=rep+1" ip_[$rep]="${ip[$i]}" let "l=$rep+12" echo -e "\033[$l;1f\033[1;37m[$jump] Request per ip ${ip[$i]} \033[0;0m" let "i=$i+$jump" done rm $ip_list echo "Get ip done by $?" } main(){ data_reading get_ip echo "Total Uniq IP $rep" bad_req_[1]="denied....." bad_req_[2]="Directory.." bad_req_[3]="File......." bad_req_[4]="?act=......" bad_req_[5]="SEARCH ...." let "l3=l3+$l+6" let "ip_t=$rep+1" let "tl=$rep+20" echo "===============================================" echo "level_detector starting" monitoring_ip="\033[$l3;32m\033[$l3;32mMay be attack ....................." yellow_alert_="\033[$l3;33m\033[$l3;33mAttacker trying to entering ......." red_alert_ip_="\033[$l3;31m\033[$l3;31mPlease check paths for this ip now " echo "===============================================" echo -e "\033[$tl;37mQuery status IP queries num Bad Request\033[0;0m" for ((n=1 ; n < $ip_t ; n++));do for ((m=1 ; m < 6 ; m++));do level[$n]="`grep "${bad_req[$m]}" "$temp_log" | grep "${ip_[$n]}" | wc -l`" if [ ${level[$n]} != 0 ];then let "k=k+1" mes[$k]="`grep "${bad_req[$m]}" "$temp_log" | grep "${ip_[$n]}"`" mes_[$k]="${ip_[$n]} ${level[$n]} ${bad_req_[$n]}\033[0;0m" if [ "${level[$n]}" -ge 70 ];then echo -e "$red_alert_ip_ ${mes_[$k]}" let "l3=$l3+1" else if [ "${level[$n]}" -gt 30 ];then echo -e "$yellow_alert_ ${mes_[$k]}" let "l3=$l3+1" else if [ "${level[$n]}" -le 10 ];then echo -e "$monitoring_ip ${mes_[$k]}" let "l3=$l3+1" fi fi fi echo "===============================================" >> $detailes echo ${ip_[$n]} ${bad_req_[$m]} ${level[$n]} >> $detailes echo -e "${mes[$k]} \n" >> $detailes fi done done echo "===============================================" } main echo "You can check details in $detailes" echo -e "\033[1;37m Mail : amiri@abysssec.com \033[0;0m" de="`date | cut -d " " -f 4`" echo "Ended @ $de">> /tmp/time.txt echo "All $totalnom Ips checked" >> /tmp/time.txt