chore: initial commit of wgtool

2026-03-22 00:54:58 -07:00
commit f9529c6055
59 changed files with 6102 additions and 0 deletions
--- a/scripting/README.md
+++ b/scripting/README.md
@@ -0,0 +1,206 @@
+# NPM Log Analysis Tools
+
+High-performance security analysis tools for NPM (Nginx Proxy Manager) logs.
+
+## Overview
+
+This repository contains two versions of the NPM log analyzer:
+
+1. **Bash Version** (`npm-log-analyzer.sh`) - Interactive menu-driven tool
+2. **Go Version** (`npm-log-analyzer.go`) - High-performance command-line tool
+
+## Features
+
+### Security Pattern Detection
+- **Critical Attacks**: SQL injection, XSS, shell/RCE, webshell uploads
+- **High Priority**: Path traversal, WordPress hunting, backup harvesting
+- **Reconnaissance**: Robots.txt requests, vulnerability scanners, error spam
+- **Advanced**: SSRF, LFI/RFI, deserialization, template injection
+
+### Analysis Capabilities
+- Real-time log processing
+- IP address analysis and geolocation
+- Attack pattern counting and categorization
+- Comprehensive reporting
+- Performance optimization for large log files
+
+## Quick Start
+
+### Go Version (Recommended)
+```bash
+# Build and run
+make go
+
+# Or manually
+go build -o npm-log-analyzer-go npm-log-analyzer.go
+./npm-log-analyzer-go
+```
+
+### Bash Version
+```bash
+# Make executable and run
+chmod +x npm-log-analyzer.sh
+./npm-log-analyzer.sh
+```
+
+## Performance Comparison
+
+| Feature | Go Version | Bash Version |
+|---------|------------|--------------|
+| **Speed** | ~85 seconds for 260MB logs | ~2-3 minutes |
+| **Memory** | Efficient streaming | Higher memory usage |
+| **Features** | Command-line focused | Interactive menu |
+| **Dependencies** | Single binary | Requires bash, grep, etc. |
+| **Gzip Support** | ✅ Native | ❌ Limited |
+
+## Recent Analysis Results
+
+From the latest Go analysis (260MB of logs):
+
+### Critical Findings
+- **SQL Injection Attempts**: 378
+- **Shell/RCE Attempts**: 2,693
+- **Error Spam (404/403)**: 4,855
+
+### Top Attack Sources
+- **169.150.203.13**: 45,278 requests (suspicious high volume)
+- **135.181.143.221**: 9,229 requests
+- **97.120.203.58**: 3,405 requests
+
+### Analysis Statistics
+- **Processed Files**: 98
+- **Total Lines**: 105,568
+- **Unique IPs**: 959
+- **Duration**: ~85 seconds
+
+## Configuration
+
+### Log Directory
+Both tools expect NPM logs at: `/opt/stacks/npm/data/logs`
+
+### Output Directory
+Reports are saved to: `./npmlogs`
+
+### Attack Patterns
+Patterns are defined in the source code and can be customized:
+
+```go
+// Go version
+var AttackPatterns = map[string]string{
+    "sql_injection": `union|select|insert|drop|delete`,
+    "xss":          `<script|javascript:|onload=|onerror=`,
+    // ... more patterns
+}
+```
+
+```bash
+# Bash version
+declare -A ATTACK_PATTERNS=(
+    ["sql_injection"]="union|select|insert|drop|delete"
+    ["xss"]="<script|javascript:|onload=|onerror="
+    # ... more patterns
+)
+```
+
+## Usage Examples
+
+### Go Version
+```bash
+# Quick analysis
+./npm-log-analyzer-go
+
+# Build for different platforms
+GOOS=linux GOARCH=amd64 go build -o npm-analyzer-linux npm-log-analyzer.go
+```
+
+### Bash Version
+```bash
+# Interactive menu
+./npm-log-analyzer.sh
+
+# Quick analysis only
+echo "1" | ./npm-log-analyzer.sh
+```
+
+## Makefile Targets
+
+```bash
+make build-go      # Build Go version
+make run-go        # Build and run Go version
+make go            # Alias for run-go
+make run-bash      # Run Bash version
+make bash          # Alias for run-bash
+make benchmark     # Compare performance
+make clean         # Clean build artifacts
+make help          # Show all targets
+```
+
+## Requirements
+
+### Go Version
+- Go 1.16+ (for native gzip support)
+- No external dependencies
+
+### Bash Version
+- Bash 4.0+
+- grep, find, awk, curl
+- Read access to `/opt/stacks/npm/data/logs`
+
+## Security Considerations
+
+1. **Log Access**: Both tools require read access to NPM logs
+2. **Network Access**: IP geolocation requires internet access (optional)
+3. **File Permissions**: Output directories need write permissions
+4. **Large Files**: Processing 260MB+ logs requires sufficient memory
+
+## Troubleshooting
+
+### Common Issues
+
+**"Log directory not accessible"**
+```bash
+# Check if NPM is running
+ls -la /opt/stacks/npm/data/logs/
+
+# Check permissions
+sudo ls -la /opt/stacks/npm/data/logs/
+```
+
+**"No output generated"**
+- Large log files take time to process
+- Go version is much faster for large files
+- Check available memory and disk space
+
+**"Permission denied"**
+```bash
+# Make scripts executable
+chmod +x npm-log-analyzer.sh
+chmod +x npm-log-analyzer-go
+
+# Check output directory permissions
+mkdir -p ./npmlogs
+chmod 755 ./npmlogs
+```
+
+## Development
+
+### Adding New Patterns
+1. Edit the pattern definitions in the source code
+2. Test with sample log data
+3. Update documentation
+
+### Performance Optimization
+- Go version uses buffered I/O and streaming
+- Bash version uses grep with timeouts
+- Both versions filter internal IPs automatically
+
+## License
+
+This project is open source. Feel free to modify and distribute.
+
+## Contributing
+
+1. Test both versions with your log data
+2. Report any issues or performance problems
+3. Suggest new attack patterns or features
+4. Submit pull requests for improvements