I wrote up a quick after action report with details about the little DoS attack that hit us. I figure that it may be handy for others to know about it.For the full report see http://isc.sans.org/presentations/jan4ddos.pdf
I mention in the report that simple shell scripts are helpful to quickly get a look at your logs while under attack. So here for the appsec streetfighters out there, some of the shell scripts I keep around to summarize my logs in a case like that:
Most recent top referrers.Defaults to last 10000 lines, but you can override that via a command line parameter.
#!/bin/sh r=$1 if [[ $r -lt 1 ]]; then r=10000 fi tail -$r access_log | cut -f4 -d'"' \ | egrep -v 'http[s]?:\/\/isc[12]?\.sans\.org' \ | grep -v 'http:\/\/www.dshield.org\/' | sort | uniq -c | sort -n
Top hosts accessing the site:
#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f1 -d' ' \
| sort | uniq -c | sort -n
The top URLs accessed on the site
#!/bin/sh r=$1 if [[ $r -lt 1 ]]; then r=10000 fi tail -$r access_log | cut -f2 -d'"' \ | sort | uniq -c | sort -n
and finally, the top user agents
#!/bin/sh r=$1 if [[ $r -lt 1 ]]; then r=10000 fi tail -$r access_log | cut -f6 -d'"' | sort | uniq -c | sort -n
Nothing magic here. Just some simple functional shell scripts that have proven themselves many times before. I am using a slightly customized "combined" log format in Apache. The column numbers may differ for your install. You will have to replace 'access_log' with the file name for your log.
