Blazing-fast log analysis for incident response, threat hunting, and forensic investigations
|
|
# Clone and build
git clone https://github.com/bad-antics/nullsec-logreaper
cd nullsec-logreaper
make
# Install system-wide (optional)
sudo make install# Analyze auth logs for brute force
./logreaper -a /var/log/auth.log
# Hunt for web attacks
./logreaper -w /var/log/nginx/access.log
# Full system analysis with timeline
./logreaper -t /var/log/
# Real-time monitoring
./logreaper -l /var/log/syslog
# Extract IOCs to JSON
./logreaper -i /var/log/ -o iocs.json| Pattern | Description | Severity |
|---|---|---|
AUTH_BRUTE_SSH |
SSH brute force attempts | π΄ High |
AUTH_SUDO_ABUSE |
Unusual sudo usage | π‘ Medium |
AUTH_SU_ROOT |
Privilege escalation via su | π΄ High |
AUTH_FAIL_BURST |
Rapid auth failures | π΄ High |
AUTH_NEW_USER |
New user created | π‘ Medium |
AUTH_PASSWD_CHG |
Password changed | π‘ Medium |
| Pattern | Description | Severity |
|---|---|---|
WEB_SQLI |
SQL injection attempts | π΄ Critical |
WEB_XSS |
Cross-site scripting | π΄ High |
WEB_LFI |
Local file inclusion | π΄ Critical |
WEB_RFI |
Remote file inclusion | π΄ Critical |
WEB_PATH_TRAV |
Path traversal (../) | π΄ High |
WEB_CMD_INJ |
Command injection | π΄ Critical |
WEB_SCANNER |
Automated scanner detected | π‘ Medium |
| Pattern | Description | Severity |
|---|---|---|
SYS_KERNEL_MOD |
Kernel module loaded | π‘ Medium |
SYS_SELINUX_OFF |
SELinux disabled | π΄ High |
SYS_CRON_CHANGE |
Cron job modified | π‘ Medium |
SYS_SERVICE_NEW |
New systemd service | π‘ Medium |
SYS_MOUNT_EXEC |
Exec mount option | π‘ Medium |
{
"scan_id": "lr-20250127-143022",
"total_events": 15847,
"threats_found": 23,
"timeline": [...],
"iocs": {
"ips": ["192.168.1.100", "10.0.0.5"],
"domains": ["evil.example.com"],
"hashes": []
},
"findings": [...]
}ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β πͺ LogReaper v1.0 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Target: /var/log/auth.log β
β Lines: 15,847 β
β Period: 2025-01-20 β 2025-01-27 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β π΄ CRITICAL β 3 β
β π HIGH β 12 β
β π‘ MEDIUM β 8 β
β π’ LOW β 0 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[!] AUTH_BRUTE_SSH detected
Time: 2025-01-26 14:32:15
Source: 192.168.1.100
Count: 847 attempts in 5 minutes
User: root, admin, ubuntu
# Build attack timeline from multiple sources
./logreaper -t \
/var/log/auth.log \
/var/log/nginx/access.log \
/var/log/syslog \
-o timeline.json# Extract IOCs in Splunk-compatible format
./logreaper -i /var/log/ --format splunk > iocs.txt
# Extract for ELK Stack
./logreaper -i /var/log/ --format elastic | curl -X POST ...# Run LogReaper β pipe suspicious IPs to firewall
./logreaper -a /var/log/auth.log --extract-ips | \
xargs -I {} iptables -A INPUT -s {} -j DROP
# Correlate with RKHunt findings
./logreaper -s /var/log/syslog | grep -f <(rkhunt --list-iocs)# Standard build
make
# Build with debug symbols
make DEBUG=1
# Build with PCRE2 regex (faster patterns)
make PCRE2=1
# Build static binary
make STATIC=1
# Cross-compile for ARM64
make ARCH=aarch64nullsec-logreaper/
βββ src/
β βββ main.c # Entry point, arg parsing
β βββ parser.c # Log format parsers
β βββ analyzer.c # Pattern matching engine
β βββ timeline.c # Event correlation
β βββ output.c # Report generation
β βββ patterns.h # Detection signatures
β βββ utils.c # Helper functions
βββ patterns/
β βββ auth.rules # Authentication patterns
β βββ web.rules # Web attack signatures
β βββ system.rules # System anomaly patterns
βββ Makefile
βββ LICENSE
βββ README.md
LogReaper works seamlessly with other NullSec tools:
| Tool | Integration |
|---|---|
| RKHunt | Correlate rootkit indicators with log anomalies |
| Specter | Feed extracted IOCs for threat intelligence |
| NetSniff | Combine network + log analysis |
| MemScan | Timeline memory artifacts with system logs |
MIT License - See LICENSE for details.
Part of the NullSec Toolkit
"From logs to leads."