1:选择日志 ,然后打开
2.运行SQL语句或者说运行脚本
3.存储脚本或者SQL语句到LPS程序
4.导出.CSV类型查询的结果
5.解锁小按钮。在重新写SQL语句时,需要解锁小按钮,方可操作
6.选择日志的类型。一般默认都是图中IISW3CLOG
7.在此处编写SQL语句
分享几个比较好用的SQL语句脚本:
防采集:统计访问.html的IP数:
select c-ip, count(c-ip) as requestcount from '[LOGFILEPATH]' where c-ip not like '%203.208.60.%' and c-ip not like '%220.181.125.149%' and cs(User-Agent) not like '%+MJ12bot/v1.4.8;%' and cs-uri-stem like '%.html%' group by c-ip order by count(c-ip) desc 这句话的意思:去除203.208.60.*可以确定的谷歌蜘蛛;去除220.181.125.149可以确定的搜狗蜘蛛;去除+MJ12bot/v1.4.8;这个国外关于统计外链的蜘蛛类型。
然后统计剩下的访问.html的IP数,一般采集人,会在一分钟内大量访问很多html页面,这不符合正常访客的行为,这时候我们就能看到异常IP
采集:统计单个IP访问.html的详情
select c-ip,cs-uri-stem,sc-status,time,cs(User-Agent) from '[LOGFILEPATH]' where c-ip='124.225.168.19' and cs-uri-stem like '%.html%' 可以清楚的看到异常IP访问的所有.html页面
扫描IP:统计POST的IP次数
select c-ip, count(c-ip) as requestcount from '[LOGFILEPATH]' where cs-method='POST' group by c-ip order by count(c-ip) desc 统计黑客人员利用扫描工具进行漏洞POST请求注入
扫描IP:单个IP的post详情
select c-ip,cs-uri-stem,sc-status,time,cs(User-Agent) from '[LOGFILEPATH]' where c-ip='113.121.44.120' 统计百度蜘蛛
SELECT time,c-ip,cs-method,cs-uri-stem,s-port,sc-status,cs(User-Agent),time-taken FROM '[LOGFILEPATH]' where cs(User-Agent) like '%Baiduspider%' 统计搜狗蜘蛛
SELECT time,c-ip,cs-method,cs-uri-stem,s-port,sc-status,cs(User-Agent),time-taken FROM '[LOGFILEPATH]' where cs(User-Agent) like '%Sogou.com%' 统计神马蜘蛛
SELECT time,c-ip,cs-method,cs-uri-stem,s-port,sc-status,cs(User-Agent),time-taken FROM '[LOGFILEPATH]' where cs(User-Agent) like '%YisouSpider%' 统计360蜘蛛
SELECT time,c-ip,cs-method,cs-uri-stem,s-port,sc-status,cs(User-Agent),time-taken FROM '[LOGFILEPATH]' where cs(User-Agent) like '%360Spider%' 统计谷歌蜘蛛
SELECT time,c-ip,cs-method,cs-uri-stem,s-port,sc-status,cs(User-Agent),time-taken FROM '[LOGFILEPATH]' where cs(User-Agent) like '%Googlebot%'