creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-linux-log-forensics-investigation/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.7 KiB
Raw Blame History

API Reference — Performing Linux Log Forensics Investigation

Libraries Used

  • re: Pattern matching for log entries (IPs, users, timestamps, suspicious commands)
  • gzip: Read compressed log files (.gz)
  • pathlib: File system operations
  • collections.Counter: Aggregate brute force IPs, command tags

CLI Interface

python agent.py auth --file /var/log/auth.log
python agent.py syslog --file /var/log/syslog
python agent.py history --file /home/user/.bash_history
python agent.py timeline --files /var/log/auth.log /var/log/syslog /var/log/kern.log

Core Functions

analyze_auth_log(log_file) — Authentication log analysis

Detects: failed logins, successful logins, sudo commands, SSH events. Identifies brute force suspects (>=5 failed attempts from same IP).

analyze_syslog(log_file) — System log anomaly detection

Flags: errors/critical messages, kernel anomalies (segfault, OOM, panic), cron jobs.

analyze_command_history(history_file) — Suspicious command detection

12 patterns: remote code execution (curl|sh), reverse shells, base64 decode, crontab modification, firewall flush, history clearing, destructive commands.

timeline_analysis(log_files) — Multi-source timeline reconstruction

Merges events from multiple log files sorted by timestamp. Supports syslog format (Mon DD HH:MM:SS) and ISO 8601.

Suspicious Command Tags

Tag Pattern
REMOTE_CODE_EXECUTION curl/wget piped to sh/bash
BASH_REVERSE_SHELL /dev/tcp/ usage
NETCAT_LISTENER nc -e/-l/-p
HISTORY_CLEAR history -c
DESTRUCTIVE_COMMAND rm -rf /

Dependencies

No external packages — Python standard library only.

Reference in New Issue View Git Blame Copy Permalink