migrate to git.charlotte.sh

automation-sys320/week11/IOC.txt

@@ -0,0 +1,6 @@
+etc/passwd
+cmd=
+/bin/bash
+/bin/sh
+1=1#
+1=1--

automation-sys320/week11/access.txt

@@ -0,0 +1,81 @@
+10.0.17.12 - - [17/Nov/2024:09:41:57 -0500] "GET / HTTP/1.1" 200 481 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:09:41:57 -0500] "GET /favicon.ico HTTP/1.1" 404 487 "http://10.0.17.8/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:09:42:00 -0500] "GET /page1.html HTTP/1.1" 200 485 "http://10.0.17.8/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:09:42:01 -0500] "GET /index.html HTTP/1.1" 200 480 "http://10.0.17.8/page1.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:09:42:01 -0500] "GET /page2.html HTTP/1.1" 200 483 "http://10.0.17.8/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:09:42:51 -0500] "-" 408 0 "-" "-"
+10.0.17.12 - - [17/Nov/2024:10:30:19 -0500] "GET /etc/passwd HTTP/1.1" 404 488 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:30:22 -0500] "GET /etc/passwd HTTP/1.1" 404 487 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:30:23 -0500] "GET /etc/passwd HTTP/1.1" 404 487 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:30:31 -0500] "GET /1=1-- HTTP/1.1" 404 488 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:30:32 -0500] "GET /1=1-- HTTP/1.1" 404 487 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:30:43 -0500] "GET //bin/bash HTTP/1.1" 404 488 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
+10.0.17.8 - - [17/Nov/2024:10:30:55 -0500] "GET /cmd=ls HTTP/1.1" 404 488 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [17/Nov/2024:10:30:57 -0500] "GET /cmd=ls HTTP/1.1" 404 487 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.12 - - [17/Nov/2024:10:31:35 -0500] "-" 408 0 "-" "-"
+10.0.17.8 - - [04/Nov/2024:11:36:51 -0500] "GET / HTTP/1.1" 200 3460 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:36:51 -0500] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3607 "http://10.0.17.8/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:36:51 -0500] "GET /favicon.ico HTTP/1.1" 404 487 "http://10.0.17.8/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:37:42 -0500] "-" 408 0 "-" "-"
+10.0.17.8 - - [04/Nov/2024:11:43:51 -0500] "GET / HTTP/1.1" 200 478 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:51 -0500] "GET / HTTP/1.1" 200 477 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:53 -0500] "GET /page1.html HTTP/1.1" 200 478 "http://10.0.17.8/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:54 -0500] "GET /index.html HTTP/1.1" 200 477 "http://10.0.17.8/page1.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:55 -0500] "GET /page2.html HTTP/1.1" 200 478 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:56 -0500] "GET /page2.html HTTP/1.1" 200 478 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:43:57 -0500] "GET /page2.html HTTP/1.1" 200 478 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:44:14 -0500] "GET /index.html HTTP/1.1" 200 478 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:44:15 -0500] "GET /page2.html HTTP/1.1" 200 479 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:44:16 -0500] "GET /page1.html HTTP/1.1" 200 478 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:05 -0500] "-" 408 0 "-" "-"
+10.0.17.8 - - [04/Nov/2024:11:45:18 -0500] "GET /index.html HTTP/1.1" 200 481 "http://10.0.17.8/page1.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:19 -0500] "GET /page2.html HTTP/1.1" 200 483 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:20 -0500] "GET /index.html HTTP/1.1" 200 480 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:21 -0500] "GET /page1.html HTTP/1.1" 200 483 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:23 -0500] "GET /index.html HTTP/1.1" 200 480 "http://10.0.17.8/page2.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:24 -0500] "GET /page1.html HTTP/1.1" 200 483 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:40 -0500] "GET /index.html HTTP/1.1" 200 481 "http://10.0.17.8/page1.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:41 -0500] "GET /page1.html HTTP/1.1" 200 484 "http://10.0.17.8/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:45:42 -0500] "GET /index.html HTTP/1.1" 200 480 "http://10.0.17.8/page1.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
+10.0.17.8 - - [04/Nov/2024:11:46:32 -0500] "-" 408 0 "-" "-"
+10.0.17.8 - - [04/Nov/2024:11:48:03 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:11:59:51 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"
+10.0.17.8 - - [04/Nov/2024:12:01:57 -0500] "GET / HTTP/1.1" 200 449 "-" "curl/7.81.0"

automation-sys320/week11/apacheLogMenu.bash

@@ -0,0 +1,115 @@
+#! /bin/bash
+
+#logFile="/var/log/apache2/access.log.1"
+logFile="access.txt"
+
+if [[ ! -f "${logFile}" ]]
+then
+    bash getLogs.bash
+fi
+
+function displayAllLogs(){
+	cat "$logFile"
+}
+
+function displayOnlyIPs(){
+    cat "$logFile" | cut -d ' ' -f 1 | sort -n | uniq -c
+}
+
+function displayOnlyPages(){
+    cat "$logFile" | cut -d ' ' -f 7 | sort -n | uniq -c
+}
+
+function frequentVisitors(){
+    histogram | awk '$1 > 10' #visits > 10
+}
+
+function suspiciousVisitors(){
+    cat "$logFile" | cut -d ' ' -f 1,7 | egrep -i -f IOC.txt | uniq -c
+}
+
+function histogram(){
+
+	local visitsPerDay=$(cat "$logFile" | cut -d " " -f 4,1 | tr -d '['  | sort \
+                              | uniq)
+	# This is for debugging, print here to see what it does to continue:
+	# echo "$visitsPerDay"
+
+        :> newtemp.txt  # what :> does is in slides
+	echo "$visitsPerDay" | while read -r line;
+	do
+		local withoutHours=$(echo "$line" | cut -d " " -f 2 \
+                                     | cut -d ":" -f 1)
+		local IP=$(echo "$line" | cut -d  " " -f 1)
+
+		local newLine="$IP $withoutHours"
+		echo "$IP $withoutHours" >> newtemp.txt
+	done
+	cat "newtemp.txt" | sort -n | uniq -c
+}
+
+# function: frequentVisitors:
+# Only display the IPs that have more than 10 visits
+# You can either call histogram and process the results,
+# Or make a whole new function. Do not forget to separate the
+# number and check with a condition whether it is greater than 10
+# the output should be almost identical to histogram
+# only with daily number of visits that are greater than 10
+
+# function: suspiciousVisitors
+# Manually make a list of indicators of attack (ioc.txt)
+# filter the records with this indicators of attack
+# only display the unique count of IP addresses.
+# Hint: there are examples in slides
+
+# Keep in mind that I have selected long way of doing things to
+# demonstrate loops, functions, etc. If you can do things simpler,
+# it is welcomed.
+
+while :
+do
+	echo "PLease select an option:"
+	echo "[1] Display all Logs"
+	echo "[2] Display only IPS"
+	echo "[3] Display only pages visited"
+	echo "[4] Histogram"
+	echo "[5] Frequent visitors"
+	echo "[6] Suspicious visitors"
+	echo "[7] Quit"
+
+	read userInput
+	echo ""
+
+	if [[ "$userInput" == "7" ]]; then
+		echo "Goodbye"
+		break
+
+	elif [[ "$userInput" == "1" ]]; then
+		echo "Displaying all logs:"
+		displayAllLogs
+
+	elif [[ "$userInput" == "2" ]]; then
+		echo "Displaying only IPS:"
+		displayOnlyIPs
+
+    elif [[ "$userInput" == "3" ]]; then
+	    echo "Displaying only pages visited:"
+        displayOnlyPages
+
+	elif [[ "$userInput" == "4" ]]; then
+		echo "Histogram:"
+		histogram
+
+    elif [[ "$userInput" == "5" ]]; then
+        echo "Displaying frequent visitors:"
+        frequentVisitors
+
+    elif [[ "$userInput" == "6" ]]; then
+        echo "Displaying suspicious visitors:"
+        suspiciousVisitors
+    else
+        echo "Invalid input [1-7 allowed]"
+        continue
+	fi
+done
+

automation-sys320/week11/getLogs.bash

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+logDir="/var/log/apache2/"
+allLogs=$(ls "${logDir}" | grep "access.log" | grep -v "other_vhosts")
+echo "${allLogs}"
+
+:> access.txt
+
+for i in ${allLogs}
+do
+    cat "${logDir}${i}" >> access.txt
+done
+
+

automation-sys320/week11/newtemp.txt

@@ -0,0 +1,38 @@
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.12 17/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 04/Nov/2024
+10.0.17.8 17/Nov/2024
+10.0.17.8 17/Nov/2024