Share
## https://sploitus.com/exploit?id=4ABFEAAD-9BA8-5C3E-B9DA-AD82B84C6CAA
# log_analyzer

A streaming access-log analyzer that detects classic web-pentest artifacts
and turns them into actionable output: structured JSON alerts, a Markdown
incident report, and a ready-to-run `ufw` mitigation script.

## What it catches

| Category | Logic |
|---|---|
| Directory Traversal / LFI | Regex on decoded path: `../../`, `/etc/passwd`, `php://filter`, etc. |
| SQL Injection | Regex: `' OR 1=1`, `--`, `UNION SELECT`, `SLEEP()`, `information_schema` |
| XSS | Regex: ``). The parser anchors on the
  trailing `HTTP/x.x` token instead, so the full payload survives intact
  for regex matching.

## Extending it

- Add a new attack signature: add a pattern under `detection:` in
  `config.yaml` โ€” no code change needed.
- Add a new scanner signature: append to
  `user_agent_classification.scanners`.
- Add a new sensitive directory to watch for brute-forcing: append to
  `bruteforce.sensitive_dirs`.
- Tighten/loosen brute-force or credential-stuffing sensitivity: edit
  `window_seconds` / `threshold_404` / `threshold_401`.
- Change the mitigation command (e.g. to `iptables` or a cloud WAF API
  call instead of `ufw`): edit `mitigation.command_template`.

## Files

- `log_analyzer.py` โ€” the engine (parsing, detection, reporting, CLI)
- `config.yaml` โ€” externalized regex/thresholds/whitelist
- `sample_access.log` โ€” mock log with one example of every detection
  category mixed into benign traffic, plus a few malformed lines, so you
  can run the tool immediately without a real server log