security analyst security skill risk: medium

Web Server Log Intrusion Analyzer

The prompt provides steps to parse Apache and Nginx access logs, apply detection rules for SQL injection, LFI, XSS, scanners and brute force, enrich with GeoIP data, and generate a…

Policy sensitive
Human review

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-web-server-logs-for-intrusion
description: "Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,"
---
# Analyzing Web Server Logs for Intrusion


## When to Use

- When investigating security incidents that require analyzing web server logs for intrusion
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install geoip2 user-agents`
2. Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
3. Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
4. Apply detection rules:
   - SQL injection: `UNION SELECT`, `OR 1=1`, `' OR '`, hex encoding patterns
   - LFI/Path traversal: `../`, `/etc/passwd`, `/proc/self`, `php://filter`
   - XSS: `<script>`, `javascript:`, `onerror=`, `onload=`
   - Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
   - Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
5. Enrich with GeoIP data and generate a prioritized findings report.

```bash
python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json
```

## Examples

### Detect SQLi in URI
```
192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532
```

### Scanner User-Agent Detection
```
Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0
```

REQUIRED CONTEXT

web server access logs in Combined Log Format
GeoIP database file

OPTIONAL CONTEXT

Python environment with geoip2 and user-agents

EXPECTED OUTPUT

Format

json

Constraints

prioritized findings report
include GeoIP enrichment
valid JSON only

EXAMPLES

Includes two log entry examples demonstrating SQLi detection in a URI and scanner user-agent signatures.

CAVEATS

Missing context

Exact output format or schema for the findings report
Error handling or edge cases for malformed log lines

Ambiguities

Description field is truncated mid-sentence.

QUALITY

OVERALL: 0.72
CLARITY: 0.80
SPECIFICITY: 0.75
REUSABILITY: 0.70
COMPLETENESS: 0.65

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence.
Add a required output format section (e.g., JSON schema or report template).

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.