Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

mukul975/analyzing-web-server-logs-for-intrusion

Name: analyzing-web-server-logs-for-intrusion
Author: mukul975

skills/analyzing-web-server-logs-for-intrusion/SKILL.md

npx skillsauth add mukul975/cyber-skills analyzing-web-server-logs-for-intrusion

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Analyzing Web Server Logs for Intrusion

When to Use

When investigating security incidents that require analyzing web server logs for intrusion
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install geoip2 user-agents
Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
Apply detection rules:
- SQL injection: UNION SELECT, OR 1=1, ' OR ', hex encoding patterns
- LFI/Path traversal: ../, /etc/passwd, /proc/self, php://filter
- XSS: <script>, javascript:, onerror=, onload=
- Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
- Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
Enrich with GeoIP data and generate a prioritized findings report.

python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

Detect SQLi in URI

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0

mukul975/analyzing-web-server-logs-for-intrusion

skills/analyzing-web-server-logs-for-intrusion/SKILL.md

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

12,656 stars

development

Updated May 31, 2026

$ install --global

skillsauth

npx skillsauth add mukul975/cyber-skills analyzing-web-server-logs-for-intrusion

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 4, 2026, 4:02 AM149.5s3 files scanned

SKILL.md

name:: analyzing-web-server-logs-for-intrusion
description:: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
domain:: cybersecurity
subdomain:: security-operations
version:: 1.0
author:: mahipal
license:: Apache-2.0

Analyzing Web Server Logs for Intrusion

When to Use

When investigating security incidents that require analyzing web server logs for intrusion
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install geoip2 user-agents
Collect web server access logs in Combined Log Format (Apache) or Nginx default format.
Parse each log entry extracting: IP, timestamp, method, URI, status code, response size, user-agent, referer.
Apply detection rules:
- SQL injection: UNION SELECT, OR 1=1, ' OR ', hex encoding patterns
- LFI/Path traversal: ../, /etc/passwd, /proc/self, php://filter
- XSS: <script>, javascript:, onerror=, onload=
- Scanner signatures: nikto, sqlmap, dirbuster, gobuster, wfuzz user-agents
- Brute force: >50 POST requests to login endpoints from same IP in 5 minutes
Enrich with GeoIP data and generate a prioritized findings report.

python scripts/agent.py --log-file /var/log/nginx/access.log --geoip-db GeoLite2-City.mmdb --output web_intrusion_report.json

Examples

Detect SQLi in URI

192.168.1.100 - - [15/Jan/2024:10:30:45 +0000] "GET /products?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 4532

Scanner User-Agent Detection

Nikto/2.1.6, sqlmap/1.7, DirBuster-1.0-RC1, gobuster/3.1.0

Related Skills

mukul975/acquiring-disk-image-with-dd-and-dcfldd

content-media

VerifiedTrustedCommunity

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

13,651SKILL.mdUpdated Apr 16, 2026

mukul975/acquiring-disk-image-with-dd-and-dcfldd

mukul975/building-phishing-reporting-button-workflow

tools

VerifiedTrustedCommunity

Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.

12,656SKILL.mdUpdated May 31, 2026

mukul975/building-phishing-reporting-button-workflow

mukul975/building-patch-tuesday-response-process

development

VerifiedTrustedCommunity

Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates within risk-based remediation SLAs.

12,656SKILL.mdUpdated May 31, 2026

mukul975/building-patch-tuesday-response-process

mukul975/building-malware-incident-communication-template

development

VerifiedTrustedCommunity

Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.

12,656SKILL.mdUpdated May 31, 2026

mukul975/building-malware-incident-communication-template

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/mukul975/cyber-skills.git

# Copy into Claude Code skills folder (global)
cp -r cyber-skills/skills/analyzing-web-server-logs-for-intrusion ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

mukul975/cyber-skills

12,656 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT