Files
Anthropic-Cybersecurity-Skills/skills/analyzing-web-server-logs-for-intrusion/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.5 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
analyzing-web-server-logs-for-intrusion Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers. cybersecurity security-operations
web-log-analysis
apache-logs
nginx-logs
sql-injection-detection
lfi-detection
directory-traversal
intrusion-detection
1.0 mahipal Apache-2.0
DE.CM-01
RS.MA-01
GV.OV-01
DE.AE-02
T1190
T1059.007
T1110
T1595.002
T1505.003

Analyzing Web Server Logs for Intrusion

When to Use

  • When investigating security incidents that require analyzing web server logs for intrusion
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

  1. Install dependencies: pip install geoip2 user-agents
  2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
  3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
  4. Apply detection rules:
    • SQL injection: UNION SELECT, OR 1=1, ' OR ', hex encoding patterns
    • LFI/Path traversal: ../, /etc/passwd, /proc/self, php://filter
    • XSS: <script>, javascript:, onerror=, onload=
    • Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
    • Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
  5. Enrich with GeoIP data and generate a prioritized findings report.
python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

Detect SQLi in URI

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0