Here are a series of scripts and one-liners that I use to detect and mitigate network attacks. The first one is a simple parser which looks for evidence of SQL injection attacks. The script assumes standard NCSA logging is in place, you may need to move around the column you are searching for.

awk '{print $1 " - " $7 }' domain.tld-access_log |grep -iE \
 "(union|drop|grant|exec|select|concat)"

And of course, if you would like time stamping, can do the following:

awk '{print $4 " - " $1 " - " $7 }' domain.tld-access_log |grep -iE \
 "(union|drop|grant|exec|select|concat)"

More scripts to follow.

Comments