JnuSimba · November 6, 2017 13:09
diff --git a/LogForensics.pl b/LogForensics.pl
 #!/usr/bin/perl -w

 use Getopt::Long;
 use Tie::File;

 my $version=2014102301;
 print "\t\t\tWeb log forensics\n";
 print "\t\t\tby Xti9er\n";

 $|=1;
 my $file;
 my @logs;
 my $input_ip;
 my $input_url;
 my $websvr='';
 my $ip_flag=0;
 my $url_flag=0;
 my @ips;
 my @urls;
 my $time;
 my $process;
 my %result;
 my $stime=time;
 my $regex;
 my $fast;

 my %asctimes=qw(
 Jan 1
 Feb 2
 Mar 3
 Apr 4
 May 5
 Jun 6
 Jul 7
 Aug 8
 Sep 9
 Oct 10
 Nov 11
 Dec 12
 );	

 my $result = GetOptions (
 					  "ip=s" => \$input_ip,
                      "file=s"   => \$file, 
                      "url=s"  => \$input_url,
 					  "websvr=s"  => \$websvr,
 					  "fast"  => sub{$fast=1},
 					  "help"  => sub{usage()}
                     );                   


 my $tregex=qr/(\d+)\/(\w+)\/(\d+):(\d+):(\d+):(\d+)/;

 if($websvr eq 'nginx'){
 	$regex=qr/(\d+\.\d+\.\d+\.\d+) - - \[(\d+\/\w+\/\d+:\d+:\d+:\d+) \+\d+\].*?(GET|POST)\s(.*?)\sHTTP.*?"\s(\d+)/;
 }
 elsif($websvr eq 'httpd'){
 	$regex=qr/(\d+\.\d+\.\d+\.\d+) - - \[(\d+\/\w+\/\d+:\d+:\d+:\d+) \+\d+\] "(GET|POST)\s(.*?)\sHTTP.*?"\s(\d+)?/;
 }
 elsif($websvr eq 'iis'){
 	$regex=qr/(\d+-\d+-\d+ \d+:\d+:\d+) .*?\s(GET|POST) (.*?) \d+ - (\d+.\d+.\d+.\d+) .*? (\d+)\s/;
 }
 else{usage();}
 usage() until defined($file);
 #ip   1.2.3.4,5.6.7.8
 if(defined $input_ip){
 	if($input_ip=~/\,/){
 		@ips=split(/\,/,$input_ip);
 	}
 	else{
 		push(@ips,$input_ip);
 	}
 	$ip_flag=1;
 }

 #as.php,conn.php
 if(defined $input_url){
 	if($input_url=~/\,/){
 		@urls=split(/\,/,$input_url);
 	}
 	else{
 		push(@urls,$input_url);
 	}
 	$url_flag=1;
 }

 print "[*] ip=",$input_ip?$input_ip:'NULL'," \t url=",$input_url?$input_url:'NULL',"\n";
 	
 PRELOADED:
 if(-e "$file.db"){
 	print "[*] LOAD $file.db\n";
 	
 	if($fast){
 		my @tmp_logs;
 		tie @tmp_logs, 'Tie::File', "$file.db" or die $!;
 		foreach my $line(@tmp_logs){
 			push(@logs,$line);
 		}
 	}
 	else{
 		tie @logs, 'Tie::File', "$file.db" or die $!;
 	}	
 	
 	my $oldip=scalar(@ips);
 	my $oldurl=scalar(@urls);
 	OTHERIP:
 	# print "ips:@ips\n";
 	# print "url:@urls\n";
 	#preload regex
 	for(1..$#urls){$urls[$_]=qr/$urls[$_]/}
 	
 	foreach my $line(@logs){
 		my @info=split(/\t/,$line);
 		my $tmp_ip_flag=0;
 		my $tmp_url_flag=0;
 		if(scalar(@ips)>0){
 			
 			for(@ips){
 				$tmp_ip_flag=1 if $info[0] eq $_;
 			}
 		}

 		#有url参数则从Url查起，否则全量
 		if(scalar(@urls)>0){
 			
 			for my $now_url(@urls){
 				$tmp_url_flag=1 if $info[3]=~/$now_url/;
 			}
 		}
 				
 		my @cgi=split(/\?/,$info[3]);
 		if($tmp_url_flag==1 or $tmp_ip_flag==1){
 			$result{$info[0]}{@cgi?$cgi[0]:$info[3]}{$info[1]}++;
 		}
 		elsif(scalar(@ips)==0 and scalar(@urls)==0){
 			$result{$info[0]}{@cgi?$cgi[0]:$info[3]}{$info[1]}++;
 		}

 	}
 	
 	my %tmp_ip_url;
 	my %tmp_url_ip;
 	my $tmp_url_minus;
 	foreach my $ip(keys %result){
 		foreach my $url(keys %{$result{$ip}}){
 			foreach my $time(keys %{$result{$ip}{$url}}){
 				$tmp_ip_url{$ip}{$url}+=$result{$ip}{$url}{$time};
 				$tmp_url_ip{$url}{$ip}=0;
 			}
 			#删除访问次数大于XX次的 url
 			delete $result{$ip}{$url} if $tmp_ip_url{$ip}{$url}>50;
 			$tmp_url_minus++;
 		}
 	}

 	foreach my $tmp_url(keys %tmp_url_ip){
 		#删除访问IP数大于XX次的URL	
 		if(scalar(keys %{$tmp_url_ip{$tmp_url}})>10){
 			foreach my $ip(keys %result){
 				delete $result{$ip}{$tmp_url};
 				$tmp_url_minus++;
 			}
 		}	
 	}

 	################
 	my $newip=scalar(keys %result);
 	
 	my %tmp_url;
 	foreach my $ip(keys %result){
 		foreach my $url(keys %{$result{$ip}}){
 			$tmp_url{$url}++;
 		}
 	}
 		
 	my $newurl=scalar(keys %tmp_url);
 	
 		#循环查找根据条件查到的所有IP的线索		???
 	if($newip>$oldip or $newurl>$oldurl){
 	
 		#####更新IP条件
 		undef @ips;
 		foreach my $ip(keys %result){push(@ips,$ip);}
 		
 		#####更新url条件
 		undef @urls;
 		for(keys %tmp_url){push(@urls,$_)}
 		
 		################
 		undef @ips if $ip_flag==1;
 		undef @urls if $url_flag==1;
 		#print "@ips\n";
 		print "[!] ip + ",$newip-$oldip," & url + ",$newurl-$oldurl," and go on\n";
 		$oldip=$newip;
 		$oldurl=$newurl;
 		sleep 2;
 		goto OTHERIP;
 	}
 	
 	print "[*] Export report... Plz wait\n";
 	report();
 }
 else{
 	print "[*] PRELOAD $file Plz wait\n";
 	open(LOG,"$file") or die $!; 
 	open(DB,"+>$file.db") or die $!; 
 	while(my $line=<LOG>){

 		# $process++;
 		# print $process%2?'+':'x';print "\b";
 		chomp($line);
 	
 		#print "$line\n";
 		if($line=~/$regex/){
 			my $ip;
 			my $time;
 			my $method;
 			my $url;
 			my $status_code;
 			my $cgi;
 			
 			if($websvr eq 'iis'){
 				$time=$1;
 				$method=$2;
 				$url=$3;
 				$ip=$4;
 				$status_code=$5;
 			}
 			else{
 				$ip=$1;
 				$time=logt2timestamp($2);
 				$method=$3;
 				$url=$4;
 				$status_code=$5;				
 			}
 			
 			####方便URL去重
 			if($url=~/(.*?)\?/){
 				$cgi=$1;
 			}
 			else{
 				$cgi=$url;
 			}
 			##############
 			#print "$ip\t$time\t$method\t$url\t$status_code\t$cgi\n";
 			if($status_code!=200){next;}
 #			if($method eq 'GET' and $cgi=~/.html$|.htm$|.jpg$|.png$|.js$|.gif$|.jpeg$|.swf$|\/$|.css$|.ico$|.txt$/i){next;}
 			if(($method eq 'GET' and $cgi=~/.php$|.jsp$|.asp$|.aspx$/i) or ($method eq 'POST')){
 				print DB "$ip\t$time\t$method\t$url\t$status_code\t\n";
 			}			
 		}			
 	}
 	
 	close DB;
 	close LOG;	
 	goto PRELOADED;
 } 

 sub usage{
 	print "
 	usage:
 	LogForensics.pl -file logfile -websvr (nginx|httpd) [-ip ip(ip,ip,ip)|-url url(url,url,url)]
 	";
 	exit;
 }

 sub logt2timestamp{
 	#21/Sep/2014:00:09:55
 	my @atime;
 	my $logt=shift;

 	if(@atime=$logt=~/$tregex/){	
 		return "$atime[2]-$asctimes{$atime[1]}-$atime[0] $atime[3]:$atime[4]:$atime[5]";
 	}
 }

 sub report{
 	
 	open(RE,"+>$file.log");
 	my $allurl=0;
 	my $allip=0;
 	foreach my $ip(keys %result){
 		if(scalar(keys %{$result{$ip}})>0){
 			#print "[ip] $ip\n";
 			$allip++;
 			print RE "[ip] $ip\n";
 		}
 		foreach my $url(keys %{$result{$ip}}){
 			my @tmp_result=keys %{$result{$ip}{$url}};
 			#[first time ~ last time] + url + (count)
 			print RE "	|__\t[$tmp_result[0] ~ $tmp_result[$#tmp_result]] $url	(".scalar(keys %{$result{$ip}{$url}}).")\n";
 		}
 		$allurl+=scalar(keys %{$result{$ip}});
 	}
 	
 	my $etime=time;
 	print "[*] All Done in ",$etime-$stime," s , ip[$allip] url[$allurl]\n";
 	print RE "[*] All Done in ",$etime-$stime," s , ip[$allip] url[$allurl]\n";
 	close RE;
 }
	#!/usr/bin/perl -w

	use Getopt::Long;
	use Tie::File;

	my $version=2014102301;
	print "\t\t\tWeb log forensics\n";
	print "\t\t\tby Xti9er\n";

	$\|=1;
	my $file;
	my @logs;
	my $input_ip;
	my $input_url;
	my $websvr='';
	my $ip_flag=0;
	my $url_flag=0;
	my @ips;
	my @urls;
	my $time;
	my $process;
	my %result;
	my $stime=time;
	my $regex;
	my $fast;

	my %asctimes=qw(
	Jan 1
	Feb 2
	Mar 3
	Apr 4
	May 5
	Jun 6
	Jul 7
	Aug 8
	Sep 9
	Oct 10
	Nov 11
	Dec 12
	);

	my $result = GetOptions (
	"ip=s" => \$input_ip,
	"file=s" => \$file,
	"url=s" => \$input_url,
	"websvr=s" => \$websvr,
	"fast" => sub{$fast=1},
	"help" => sub{usage()}
	);


	my $tregex=qr/(\d+)\/(\w+)\/(\d+):(\d+):(\d+):(\d+)/;

	if($websvr eq 'nginx'){
	$regex=qr/(\d+\.\d+\.\d+\.\d+) - - \[(\d+\/\w+\/\d+:\d+:\d+:\d+) \+\d+\].?(GET\|POST)\s(.?)\sHTTP.*?"\s(\d+)/;
	}
	elsif($websvr eq 'httpd'){
	$regex=qr/(\d+\.\d+\.\d+\.\d+) - - \[(\d+\/\w+\/\d+:\d+:\d+:\d+) \+\d+\] "(GET\|POST)\s(.?)\sHTTP.?"\s(\d+)?/;
	}
	elsif($websvr eq 'iis'){
	$regex=qr/(\d+-\d+-\d+ \d+:\d+:\d+) .?\s(GET\|POST) (.?) \d+ - (\d+.\d+.\d+.\d+) .*? (\d+)\s/;
	}
	else{usage();}
	usage() until defined($file);
	#ip 1.2.3.4,5.6.7.8
	if(defined $input_ip){
	if($input_ip=~/\,/){
	@ips=split(/\,/,$input_ip);
	}
	else{
	push(@ips,$input_ip);
	}
	$ip_flag=1;
	}

	#as.php,conn.php
	if(defined $input_url){
	if($input_url=~/\,/){
	@urls=split(/\,/,$input_url);
	}
	else{
	push(@urls,$input_url);
	}
	$url_flag=1;
	}

	print "[*] ip=",$input_ip?$input_ip:'NULL'," \t url=",$input_url?$input_url:'NULL',"\n";

	PRELOADED:
	if(-e "$file.db"){
	print "[*] LOAD $file.db\n";

	if($fast){
	my @tmp_logs;
	tie @tmp_logs, 'Tie::File', "$file.db" or die $!;
	foreach my $line(@tmp_logs){
	push(@logs,$line);
	}
	}
	else{
	tie @logs, 'Tie::File', "$file.db" or die $!;
	}

	my $oldip=scalar(@ips);
	my $oldurl=scalar(@urls);
	OTHERIP:
	# print "ips:@ips\n";
	# print "url:@urls\n";
	#preload regex
	for(1..$#urls){$urls[$_]=qr/$urls[$_]/}

	foreach my $line(@logs){
	my @info=split(/\t/,$line);
	my $tmp_ip_flag=0;
	my $tmp_url_flag=0;
	if(scalar(@ips)>0){

	for(@ips){
	$tmp_ip_flag=1 if $info[0] eq $_;
	}
	}

	#有url参数则从Url查起，否则全量
	if(scalar(@urls)>0){

	for my $now_url(@urls){
	$tmp_url_flag=1 if $info[3]=~/$now_url/;
	}
	}

	my @cgi=split(/\?/,$info[3]);
	if($tmp_url_flag==1 or $tmp_ip_flag==1){
	$result{$info[0]}{@cgi?$cgi[0]:$info[3]}{$info[1]}++;
	}
	elsif(scalar(@ips)==0 and scalar(@urls)==0){
	$result{$info[0]}{@cgi?$cgi[0]:$info[3]}{$info[1]}++;
	}

	}

	my %tmp_ip_url;
	my %tmp_url_ip;
	my $tmp_url_minus;
	foreach my $ip(keys %result){
	foreach my $url(keys %{$result{$ip}}){
	foreach my $time(keys %{$result{$ip}{$url}}){
	$tmp_ip_url{$ip}{$url}+=$result{$ip}{$url}{$time};
	$tmp_url_ip{$url}{$ip}=0;
	}
	#删除访问次数大于XX次的 url
	delete $result{$ip}{$url} if $tmp_ip_url{$ip}{$url}>50;
	$tmp_url_minus++;
	}
	}

	foreach my $tmp_url(keys %tmp_url_ip){
	#删除访问IP数大于XX次的URL
	if(scalar(keys %{$tmp_url_ip{$tmp_url}})>10){
	foreach my $ip(keys %result){
	delete $result{$ip}{$tmp_url};
	$tmp_url_minus++;
	}
	}
	}

	################
	my $newip=scalar(keys %result);

	my %tmp_url;
	foreach my $ip(keys %result){
	foreach my $url(keys %{$result{$ip}}){
	$tmp_url{$url}++;
	}
	}

	my $newurl=scalar(keys %tmp_url);

	#循环查找根据条件查到的所有IP的线索 ???
	if($newip>$oldip or $newurl>$oldurl){

	#####更新IP条件
	undef @ips;
	foreach my $ip(keys %result){push(@ips,$ip);}

	#####更新url条件
	undef @urls;
	for(keys %tmp_url){push(@urls,$_)}

	################
	undef @ips if $ip_flag==1;
	undef @urls if $url_flag==1;
	#print "@ips\n";
	print "[!] ip + ",$newip-$oldip," & url + ",$newurl-$oldurl," and go on\n";
	$oldip=$newip;
	$oldurl=$newurl;
	sleep 2;
	goto OTHERIP;
	}

	print "[*] Export report... Plz wait\n";
	report();
	}
	else{
	print "[*] PRELOAD $file Plz wait\n";
	open(LOG,"$file") or die $!;
	open(DB,"+>$file.db") or die $!;
	while(my $line=<LOG>){

	# $process++;
	# print $process%2?'+':'x';print "\b";
	chomp($line);

	#print "$line\n";
	if($line=~/$regex/){
	my $ip;
	my $time;
	my $method;
	my $url;
	my $status_code;
	my $cgi;

	if($websvr eq 'iis'){
	$time=$1;
	$method=$2;
	$url=$3;
	$ip=$4;
	$status_code=$5;
	}
	else{
	$ip=$1;
	$time=logt2timestamp($2);
	$method=$3;
	$url=$4;
	$status_code=$5;
	}

	####方便URL去重
	if($url=~/(.*?)\?/){
	$cgi=$1;
	}
	else{
	$cgi=$url;
	}
	##############
	#print "$ip\t$time\t$method\t$url\t$status_code\t$cgi\n";
	if($status_code!=200){next;}
	# if($method eq 'GET' and $cgi=~/.html$\|.htm$\|.jpg$\|.png$\|.js$\|.gif$\|.jpeg$\|.swf$\|\/$\|.css$\|.ico$\|.txt$/i){next;}
	if(($method eq 'GET' and $cgi=~/.php$\|.jsp$\|.asp$\|.aspx$/i) or ($method eq 'POST')){
	print DB "$ip\t$time\t$method\t$url\t$status_code\t\n";
	}
	}
	}

	close DB;
	close LOG;
	goto PRELOADED;
	}

	sub usage{
	print "
	usage:
	LogForensics.pl -file logfile -websvr (nginx\|httpd) [-ip ip(ip,ip,ip)\|-url url(url,url,url)]
	";
	exit;
	}

	sub logt2timestamp{
	#21/Sep/2014:00:09:55
	my @atime;
	my $logt=shift;

	if(@atime=$logt=~/$tregex/){
	return "$atime[2]-$asctimes{$atime[1]}-$atime[0] $atime[3]:$atime[4]:$atime[5]";
	}
	}

	sub report{

	open(RE,"+>$file.log");
	my $allurl=0;
	my $allip=0;
	foreach my $ip(keys %result){
	if(scalar(keys %{$result{$ip}})>0){
	#print "[ip] $ip\n";
	$allip++;
	print RE "[ip] $ip\n";
	}
	foreach my $url(keys %{$result{$ip}}){
	my @tmp_result=keys %{$result{$ip}{$url}};
	#[first time ~ last time] + url + (count)
	print RE " \|__\t[$tmp_result[0] ~ $tmp_result[$#tmp_result]] $url (".scalar(keys %{$result{$ip}{$url}}).")\n";
	}
	$allurl+=scalar(keys %{$result{$ip}});
	}

	my $etime=time;
	print "[*] All Done in ",$etime-$stime," s , ip[$allip] url[$allurl]\n";
	print RE "[*] All Done in ",$etime-$stime," s , ip[$allip] url[$allurl]\n";
	close RE;
	}