{"id":29194622,"url":"https://github.com/aditya8raj/cybersec-log-analyzer","last_synced_at":"2025-07-02T04:05:51.865Z","repository":{"id":301973984,"uuid":"1010824679","full_name":"aditya8Raj/cybersec-log-analyzer","owner":"aditya8Raj","description":"A comprehensive Python tool for SOC analysts to detect suspicious activities in system logs.  Features brute-force detection, SSH analysis, threat assessment, and professional reporting.  No external dependencies, production-ready, with full test coverage.","archived":false,"fork":false,"pushed_at":"2025-06-29T22:03:13.000Z","size":0,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-29T22:34:09.492Z","etag":null,"topics":["brute-force-detection","cybersecurity","log-analysis","python","security-monitoring","soc-tools","ssh-analysis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aditya8Raj.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-29T21:49:38.000Z","updated_at":"2025-06-29T22:03:16.000Z","dependencies_parsed_at":"2025-06-29T22:34:12.293Z","dependency_job_id":"e8731c11-0bf4-46ec-b9f8-ff53ba3e7415","html_url":"https://github.com/aditya8Raj/cybersec-log-analyzer","commit_stats":null,"previous_names":["aditya8raj/cybersec-log-analyzer"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/aditya8Raj/cybersec-log-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aditya8Raj%2Fcybersec-log-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aditya8Raj%2Fcybersec-log-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aditya8Raj%2Fcybersec-log-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aditya8Raj%2Fcybersec-log-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aditya8Raj","download_url":"https://codeload.github.com/aditya8Raj/cybersec-log-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aditya8Raj%2Fcybersec-log-analyzer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263072012,"owners_count":23409260,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force-detection","cybersecurity","log-analysis","python","security-monitoring","soc-tools","ssh-analysis"],"created_at":"2025-07-02T04:05:50.548Z","updated_at":"2025-07-02T04:05:51.855Z","avatar_url":"https://github.com/aditya8Raj.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔒 Log Analyzer Tool for SOC Analysts\n\nA comprehensive Python-based tool designed for Security Operations Center (SOC) analysts to detect and analyze suspicious activities in system logs, particularly SSH authentication logs.\n\n## 🎯 Features\n\n- **Brute-Force Detection**: Automatically identifies IP addresses with multiple failed login attempts\n- **Failed SSH Login Analysis**: Parses and analyzes SSH authentication failures\n- **Root Login Monitoring**: Tracks unauthorized root access attempts\n- **Successful Login Tracking**: Monitors legitimate authentication events\n- **IP Reputation Analysis**: Provides threat level assessment for each IP address\n- **Multiple Export Formats**: Export results to CSV or JSON for further analysis\n- **Command-Line Interface**: Easy-to-use CLI with multiple options\n- **Modular Design**: Clean, maintainable code structure with separate utility functions\n\n## 📁 Project Structure\n\n```\ncybersec_project/\n├── logs/\n│   └── auth.log              # Sample log file\n├── analyzer.py               # Main analysis script\n├── utils.py                  # Utility functions\n├── README.md                 # This file\n└── requirements.txt          # Dependencies (optional)\n```\n\n## 🚀 Quick Start\n\n### Basic Usage\n\n```bash\n# Analyze log file with default settings\npython analyzer.py logs/auth.log\n\n# Custom brute-force threshold (default is 5)\npython analyzer.py logs/auth.log --threshold 10\n\n# Export results to CSV\npython analyzer.py logs/auth.log --export csv\n\n# Export results to JSON with custom filename\npython analyzer.py logs/auth.log --export json --output security_report.json\n```\n\n### Advanced Usage\n\n```bash\n# Show top 10 attacking IPs\npython analyzer.py logs/auth.log --top-attackers 10\n\n# Check reputation for specific IP\npython analyzer.py logs/auth.log --check-ip 192.168.1.10\n\n# Quiet mode (minimal output)\npython analyzer.py logs/auth.log --quiet --export csv\n```\n\n## 🔧 Command-Line Options\n\n| Option            | Description                     | Example                |\n| ----------------- | ------------------------------- | ---------------------- |\n| `log_file`        | Path to log file (required)     | `logs/auth.log`        |\n| `--threshold, -t` | Brute-force detection threshold | `--threshold 10`       |\n| `--export, -e`    | Export format (csv/json)        | `--export csv`         |\n| `--output, -o`    | Output file path                | `--output results.csv` |\n| `--top-attackers` | Show top N attacking IPs        | `--top-attackers 5`    |\n| `--check-ip`      | Check specific IP reputation    | `--check-ip 1.2.3.4`   |\n| `--quiet, -q`     | Suppress detailed output        | `--quiet`              |\n\n## 📊 Sample Output\n\n```\n🔒 Log Analyzer Tool for SOC Analysts\n==================================================\n📂 Loading log file: logs/auth.log\n✅ Successfully loaded 30 log entries\n🔍 Analyzing logs for suspicious activities...\n✅ Log analysis completed successfully!\n\n============================================================\n          LOG ANALYSIS SECURITY REPORT\n============================================================\n\n📊 OVERVIEW:\nTotal log entries processed: 30\nTotal failed login attempts: 23\nTotal successful logins: 3\nUnique IP addresses: 6\n\n🚨 BRUTE FORCE ATTACKS DETECTED:\n   • 192.168.1.10 → 8 failed attempts ❌\n   • 10.0.0.15 → 7 failed attempts ❌\n   • 45.33.32.156 → 7 failed attempts ❌\n\nTotal brute-force IPs: 3\n\n⚠️  ROOT LOGIN ATTEMPTS:\n   • 192.168.1.10 → 1 root login attempts\n   • 203.0.113.50 → 3 root login attempts\n\n🔍 TOP ATTACKING IPs:\n   • 192.168.1.10 → 8 attempts (🚨 BRUTE FORCE)\n   • 10.0.0.15 → 7 attempts (🚨 BRUTE FORCE)\n   • 45.33.32.156 → 7 attempts (🚨 BRUTE FORCE)\n   • 203.0.113.50 → 3 attempts (⚠️  SUSPICIOUS)\n   • 198.51.100.10 → 2 attempts (⚠️  SUSPICIOUS)\n\n✅ SUCCESSFUL LOGINS:\n   • 10.0.0.5 → Users: john\n   • 192.168.1.100 → Users: alice\n   • 172.16.0.10 → Users: bob\n\n============================================================\nReport generated on: 2025-06-30 15:30:45\n============================================================\n```\n\n## 🔍 Detection Capabilities\n\n### 1. Failed Login Detection\n\n- Identifies patterns like \"Failed password\"\n- Detects \"Invalid user\" attempts\n- Tracks authentication failures\n\n### 2. Brute-Force Attack Detection\n\n- Configurable threshold (default: 5 failed attempts)\n- IP-based attack pattern recognition\n- Threat level assessment\n\n### 3. Root Access Monitoring\n\n- Tracks root login attempts\n- Identifies privilege escalation attempts\n- Flags unauthorized administrative access\n\n### 4. Successful Login Tracking\n\n- Monitors legitimate authentications\n- Tracks user activity patterns\n- Correlates with failed attempts\n\n## 📈 Threat Level Classification\n\n| Level        | Criteria                            | Description                                        |\n| ------------ | ----------------------------------- | -------------------------------------------------- |\n| **CRITICAL** | Brute-force + Root attempts         | High-priority threat requiring immediate attention |\n| **HIGH**     | Brute-force attacks                 | Sustained attack pattern detected                  |\n| **MEDIUM**   | 3+ failed attempts OR root attempts | Suspicious activity requiring monitoring           |\n| **LOW**      | Minimal failed attempts             | Normal or low-risk activity                        |\n\n## 💾 Export Formats\n\n### CSV Export\n\nContains columns:\n\n- IP Address\n- Failed Attempts\n- Is Brute Force\n- Root Attempts\n- Successful Logins\n\n### JSON Export\n\nStructured format with:\n\n- Summary statistics\n- Detailed IP analysis\n- Timestamp information\n- Raw data for integration\n\n## 🛠️ Technical Details\n\n### Log Format Support\n\nCurrently supports standard syslog format for SSH authentication:\n\n```\nJun 29 10:34:00 ubuntu sshd[1999]: Failed password for invalid user root from 192.168.1.10 port 445 ssh2\n```\n\n### Regex Patterns\n\n- **IP Address**: `\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b`\n- **Failed Login**: `Failed password|Invalid user|authentication failure`\n- **Successful Login**: `Accepted password|session opened`\n- **Username**: `for (?:invalid user )?(\\w+)`\n\n## 🧪 Testing\n\nTest the tool with the provided sample log file:\n\n```bash\n# Run basic analysis\npython analyzer.py logs/auth.log\n\n# Test with different thresholds\npython analyzer.py logs/auth.log --threshold 3\npython analyzer.py logs/auth.log --threshold 10\n\n# Test export functionality\npython analyzer.py logs/auth.log --export csv --output test_results.csv\npython analyzer.py logs/auth.log --export json --output test_results.json\n```\n\n## 🔧 Customization\n\n### Adding New Detection Patterns\n\nEdit `utils.py` to add new regex patterns:\n\n```python\ndef is_custom_attack(log_line: str) -\u003e bool:\n    \"\"\"Detect custom attack patterns\"\"\"\n    custom_patterns = [\n        r'your_custom_pattern',\n        r'another_pattern'\n    ]\n    return any(re.search(pattern, log_line, re.IGNORECASE) for pattern in custom_patterns)\n```\n\n### Extending Analysis\n\nAdd new analysis functions to the `LogAnalyzer` class in `analyzer.py`:\n\n```python\ndef custom_analysis(self) -\u003e Dict:\n    \"\"\"Implement custom analysis logic\"\"\"\n    # Your custom analysis code here\n    pass\n```\n\n## 🛡️ Security Considerations\n\n- **Log File Access**: Ensure proper permissions for log file access\n- **Data Privacy**: Be mindful of sensitive information in logs\n- **False Positives**: Adjust thresholds based on your environment\n- **Regular Updates**: Keep detection patterns updated for new threats\n\n## 🤝 Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Add tests for new functionality\n4. Submit a pull request\n\n## 📋 Requirements\n\n- Python 3.6+\n- Standard library modules only (no external dependencies required)\n- Read access to log files\n\n## 🆘 Troubleshooting\n\n### Common Issues\n\n1. **File Not Found Error**\n\n   ```bash\n   python analyzer.py /correct/path/to/logfile.log\n   ```\n\n2. **Permission Denied**\n\n   ```bash\n   sudo python analyzer.py /var/log/auth.log\n   ```\n\n3. **No Results Found**\n   - Check log file format\n   - Verify log entries contain expected patterns\n   - Try lowering the threshold\n\n## 📞 Support\n\nFor issues or questions:\n\n- Check the troubleshooting section\n- Review the sample log format\n- Ensure proper file permissions\n\n## 📄 License\n\nThis project is released under the MIT License. See LICENSE file for details.\n\n---\n\n**Created for SOC Analysts by SOC Analysts** 🛡️\n\n_Stay vigilant, stay secure!_\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faditya8raj%2Fcybersec-log-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faditya8raj%2Fcybersec-log-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faditya8raj%2Fcybersec-log-analyzer/lists"}