ihorpjp/soc-log-analyzer

GitHub: ihorpjp/soc-log-analyzer

基于滑动窗口算法的 Linux auth.log 安全分析工具,用于检测 SSH 暴力破解、用户枚举、权限提升等五类攻击行为并生成结构化报告。

Stars: 0 | Forks: 0

# 🛡️ SOC Log Analyzer 一款用于检测 Linux `auth.log` 文件中可疑活动的生产级 Python 工具。专为 SOC 分析师、系统管理员和具有安全意识的开发者构建。 ## 功能特性 | 检测项 | 描述 | |---|---| | 🔴 **SSH 暴力破解** | 标记在时间窗口内失败登录次数超过 N 次的 IP | | 🟠 **用户枚举** | 检测探测大量不同用户名的 IP | | 🔴 **权限提升** | 捕获重复的 sudo 失败和 root 会话开启 | | 🟡 **SSH 扫描器** | 通过 preauth 断开连接识别端口扫描 | | 🚨 **失陷检测** | 标记来自先前攻击 IP 的成功登录 | **输出:** - 彩色终端报告 - JSON 告警文件(机器可读,适配 CI/CD) - 可选纯文本报告文件 - 针对 HIGH/CRITICAL(高/严重)告警的可选 Telegram 通知 ## 项目结构 ``` soc-log-analyzer/ ├── analyzer.py # Main CLI entry point ├── parser.py # Auth.log parsing engine (regex-based) ├── alerts.py # Detection engine + output functions ├── config.py # Thresholds, Telegram config, whitelists ├── requirements.txt └── example_logs/ └── auth.log # Sample log for testing ``` ## 安装 ``` # 克隆仓库 git clone https://github.com/ihorbezruchko/soc-log-analyzer.git cd soc-log-analyzer # 安装依赖(仅需 'requests' 以支持 Telegram) pip install -r requirements.txt ``` **要求:** Python 3.8+ ## 使用方法 ### 基本分析 ``` python analyzer.py --log /var/log/auth.log ``` ### 将告警保存为 JSON ``` python analyzer.py --log /var/log/auth.log --output alerts.json ``` ### 保存文本报告 ``` python analyzer.py --log /var/log/auth.log --report report.txt ``` ### 自定义阈值 ``` # 60 秒内 3 次失败后标记(更敏感) python analyzer.py --log /var/log/auth.log --threshold 3 --window 60 ``` ### Telegram 通知 ``` export TELEGRAM_BOT_TOKEN="your_bot_token" export TELEGRAM_CHAT_ID="your_chat_id" python analyzer.py --log /var/log/auth.log --telegram ``` ### 使用示例日志测试 ``` python analyzer.py --log example_logs/auth.log ``` ### 所有选项 ``` usage: analyzer.py [-h] --log FILE [--output FILE] [--report FILE] [--threshold N] [--window SECONDS] [--telegram] [--no-color] [--verbose] [--year YEAR] options: --log, -l FILE Path to auth.log file --output, -o FILE JSON output file (default: alerts.json) --report, -r FILE Save text report to file --threshold, -t N Failed login threshold (default: 5) --window, -w SECONDS Time window for brute-force detection (default: 300) --telegram Send HIGH/CRITICAL alerts via Telegram --no-color Disable ANSI colours in terminal --verbose, -v Enable debug logging --year YEAR Year for log timestamps (default: current year) ``` ## 示例输出 ``` ══════════════════════════════════════════════════════════════════════ SOC LOG ANALYZER — SECURITY REPORT Generated : 2026-03-09 17:06:32 Log file : example_logs/auth.log Events : 46 Alerts : 6 ══════════════════════════════════════════════════════════════════════ ALERT SUMMARY BY SEVERITY [CRITICAL] 1 ███ [HIGH] 1 ███ [MEDIUM] 4 ████████████ TOP ATTACKING IPs ⚠ 185.234.218.45 2 alert(s) ⚠ 91.200.12.77 2 alert(s) ⚠ 10.0.0.50 1 alert(s) DETAILED ALERTS [006] [CRITICAL] SUCCESSFUL_LOGIN_FROM_ATTACKER CRITICAL: Successful login by 'deploy' from 185.234.218.45 — this IP was previously flagged for brute-force activity. Possible successful compromise. IP : 185.234.218.45 User : deploy ... ``` ## 检测逻辑 ### 暴力破解检测(滑动窗口) 分析器使用**滑动时间窗口**算法——而不仅仅是原始计数——以避免因跨越数天的历史日志而产生误报。 ``` For each IP: Sort failed login events by timestamp Use a sliding window of N seconds If max events in any window >= threshold → ALERT Severity scaling: >= 5 failures → MEDIUM >= 15 failures → HIGH >= 20 failures → CRITICAL ``` ### 用户枚举 ``` If an IP attempts 3+ distinct invalid usernames → USER_ENUMERATION alert This pattern indicates automated scanning tools (e.g. Hydra, Medusa) ``` ### 权限提升 ``` 3+ sudo authentication failures for same user → PRIVILEGE_ESCALATION_ATTEMPT Any root session opened → ROOT_SESSION_OPENED (HIGH severity, review manually) ``` ### 失陷检测 ``` After all alerts are generated: If any ACCEPTED_LOGIN event came from an IP that was flagged → SUCCESSFUL_LOGIN_FROM_ATTACKER (CRITICAL) This is the highest-confidence indicator of a real breach. ``` ## JSON 输出格式 ``` { "generated_at": "2026-03-09T17:06:32", "total_alerts": 6, "alerts": [ { "alert_id": 1, "alert_type": "BRUTE_FORCE", "severity": "MEDIUM", "source_ip": "185.234.218.45", "username": "root, admin, ubuntu", "count": 12, "first_seen": "2026-03-01 02:11:01", "last_seen": "2026-03-01 02:11:23", "description": "Brute-force SSH attack detected...", "raw_samples": ["Mar 1 02:11:01 server sshd[3821]: Failed password..."] } ] } ``` ## Telegram 设置 1. 在 Telegram 上私信 [@BotFather](https://t.me/BotFather) → 创建一个 bot → 复制 token 2. 私信 [@userinfobot](https://t.me/userinfobot) 获取您的 chat ID 3. 设置环境变量: ``` export TELEGRAM_BOT_TOKEN="123456:ABC-DEF..." export TELEGRAM_CHAT_ID="987654321" ``` 当使用 `--telegram` 标志时,HIGH 和 CRITICAL 严重级别的告警会自动发送。 ## 白名单受信任 IP 编辑 `config.py` 以排除已知的安全 IP: ``` WHITELISTED_IPS = [ "127.0.0.1", "::1", "10.0.0.1", # your router "192.168.1.5", # your admin workstation ] ``` ## 退出代码 | 代码 | 含义 | |------|---------| | `0` | 未发现 HIGH 或 CRITICAL 告警 | | `1` | 检测到一个或多个 HIGH/CRITICAL 告警 | 这允许集成到 Shell 脚本或 CI/CD 流水线中: ``` python analyzer.py --log /var/log/auth.log || echo "Security alert triggered!" ``` ## 技术栈 - **Python 3.8+** — 仅使用标准库(用于 Telegram 的 `requests` 除外) - **re** — 基于 regex 的日志解析 - **argparse** — CLI 接口 - **logging** — 结构化日志输出 - **dataclasses** — 整洁的数据模型 - **collections** — 高效的计数和分组 ## 作者 **Ihor Bezruchko** IT 支持专家 | 初级 SOC 分析师 卢森堡 [LinkedIn](https://www.linkedin.com/in/ihor-bezruchko-31637a2b7/)
标签:AMSI绕过, Auth.log, CSV导出, DevSecOps, Python, Sliding Window, SSH暴力破解, Syslog, Telegram Bot, 上游代理, 协议分析, 告警通知, 妥协指标, 威胁检测, 安全运营, 扫描框架, 攻击分析, 数据统计, 无后门, 权限提升, 滑动窗口算法, 瑞士军刀, 用户枚举, 端口扫描, 网络调试, 脚本, 自动化, 逆向工具