sapient/wgtool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f9529c605515224be0a79c453f5aadebd368ebd4
wgtool/scripting/README.md
sapient f9529c6055 chore: initial commit of wgtool
2026-03-22 00:54:58 -07:00

206 lines
4.9 KiB
Markdown
Raw Blame History

# NPM Log Analysis Tools
High-performance security analysis tools for NPM (Nginx Proxy Manager) logs.
## Overview
This repository contains two versions of the NPM log analyzer:
1. **Bash Version** (`npm-log-analyzer.sh`) - Interactive menu-driven tool
2. **Go Version** (`npm-log-analyzer.go`) - High-performance command-line tool
## Features
### Security Pattern Detection
- **Critical Attacks**: SQL injection, XSS, shell/RCE, webshell uploads
- **High Priority**: Path traversal, WordPress hunting, backup harvesting
- **Reconnaissance**: Robots.txt requests, vulnerability scanners, error spam
- **Advanced**: SSRF, LFI/RFI, deserialization, template injection
### Analysis Capabilities
- Real-time log processing
- IP address analysis and geolocation
- Attack pattern counting and categorization
- Comprehensive reporting
- Performance optimization for large log files
## Quick Start
### Go Version (Recommended)
```bash
# Build and run
make go
# Or manually
go build -o npm-log-analyzer-go npm-log-analyzer.go
./npm-log-analyzer-go
```
### Bash Version
```bash
# Make executable and run
chmod +x npm-log-analyzer.sh
./npm-log-analyzer.sh
```
## Performance Comparison
| Feature | Go Version | Bash Version |
|---------|------------|--------------|
| **Speed** | ~85 seconds for 260MB logs | ~2-3 minutes |
| **Memory** | Efficient streaming | Higher memory usage |
| **Features** | Command-line focused | Interactive menu |
| **Dependencies** | Single binary | Requires bash, grep, etc. |
| **Gzip Support** | ✅ Native | ❌ Limited |
## Recent Analysis Results
From the latest Go analysis (260MB of logs):
### Critical Findings
- **SQL Injection Attempts**: 378
- **Shell/RCE Attempts**: 2,693
- **Error Spam (404/403)**: 4,855
### Top Attack Sources
- **169.150.203.13**: 45,278 requests (suspicious high volume)
- **135.181.143.221**: 9,229 requests
- **97.120.203.58**: 3,405 requests
### Analysis Statistics
- **Processed Files**: 98
- **Total Lines**: 105,568
- **Unique IPs**: 959
- **Duration**: ~85 seconds
## Configuration
### Log Directory
Both tools expect NPM logs at: `/opt/stacks/npm/data/logs`
### Output Directory
Reports are saved to: `./npmlogs`
### Attack Patterns
Patterns are defined in the source code and can be customized:
```go
// Go version
var AttackPatterns = map[string]string{
"sql_injection": `union|select|insert|drop|delete`,
"xss": `<script|javascript:|onload=|onerror=`,
// ... more patterns
}
```
```bash
# Bash version
declare -A ATTACK_PATTERNS=(
["sql_injection"]="union|select|insert|drop|delete"
["xss"]="<script|javascript:|onload=|onerror="
# ... more patterns
)
```
## Usage Examples
### Go Version
```bash
# Quick analysis
./npm-log-analyzer-go
# Build for different platforms
GOOS=linux GOARCH=amd64 go build -o npm-analyzer-linux npm-log-analyzer.go
```
### Bash Version
```bash
# Interactive menu
./npm-log-analyzer.sh
# Quick analysis only
echo "1" | ./npm-log-analyzer.sh
```
## Makefile Targets
```bash
make build-go # Build Go version
make run-go # Build and run Go version
make go # Alias for run-go
make run-bash # Run Bash version
make bash # Alias for run-bash
make benchmark # Compare performance
make clean # Clean build artifacts
make help # Show all targets
```
## Requirements
### Go Version
- Go 1.16+ (for native gzip support)
- No external dependencies
### Bash Version
- Bash 4.0+
- grep, find, awk, curl
- Read access to `/opt/stacks/npm/data/logs`
## Security Considerations
1. **Log Access**: Both tools require read access to NPM logs
2. **Network Access**: IP geolocation requires internet access (optional)
3. **File Permissions**: Output directories need write permissions
4. **Large Files**: Processing 260MB+ logs requires sufficient memory
## Troubleshooting
### Common Issues
**"Log directory not accessible"**
```bash
# Check if NPM is running
ls -la /opt/stacks/npm/data/logs/
# Check permissions
sudo ls -la /opt/stacks/npm/data/logs/
```
**"No output generated"**
- Large log files take time to process
- Go version is much faster for large files
- Check available memory and disk space
**"Permission denied"**
```bash
# Make scripts executable
chmod +x npm-log-analyzer.sh
chmod +x npm-log-analyzer-go
# Check output directory permissions
mkdir -p ./npmlogs
chmod 755 ./npmlogs
```
## Development
### Adding New Patterns
1. Edit the pattern definitions in the source code
2. Test with sample log data
3. Update documentation
### Performance Optimization
- Go version uses buffered I/O and streaming
- Bash version uses grep with timeouts
- Both versions filter internal IPs automatically
## License
This project is open source. Feel free to modify and distribute.
## Contributing
1. Test both versions with your log data
2. Report any issues or performance problems
3. Suggest new attack patterns or features
4. Submit pull requests for improvements
Reference in New Issue View Git Blame Copy Permalink