Week 12 Apache Log Menu Lab - Snowboundport37/champlain GitHub Wiki

Week 12 Apache Log Menu Lab

Objective

Enhance a Bash menu script that analyzes Apache access logs. Add functions to:

  • display only pages
  • list frequent visitors
  • detect suspicious visitors using an IOC file Also ensure the menu handles invalid input with a clear message.

Prerequisites

sudo apt-get update
sudo apt-get install -y apache2 curl
sudo systemctl enable apache2
sudo systemctl start apache2

Find your server IP and visit it in a browser to generate logs.

ip addr

Create simple site pages

sudo rm -f /var/www/html/index.html
sudo tee /var/www/html/index.html > /dev/null <<'HTML'
<html><head><title>My Apache Site</title></head>
<body>
<h1>Welcome to my server</h1>
<p><a href="page1.html">page1</a></p>
<p><a href="page2.html">page2</a></p>
</body></html>
HTML

sudo tee /var/www/html/page1.html > /dev/null <<'HTML'
<html><head><title>page1</title></head>
<body><h1>page1</h1><p>This is page1</p><a href="index.html">home</a></body></html>
HTML

sudo tee /var/www/html/page2.html > /dev/null <<'HTML'
<html><head><title>page2</title></head>
<body><h1>page2</h1><p>This is page2</p><a href="index.html">home</a></body></html>
HTML

Click around the links a few times and also hit them with curl to build up logs.

curl http://<YOUR-IP>/
curl http://<YOUR-IP>/page1.html
curl http://<YOUR-IP>/page2.html

IOC list for suspicious visitors

Create a file named ioc.txt in the same directory where you will run the script. One indicator per line. You can add more later.

phpmyadmin
wp-login
/etc/passwd
cmd.exe
.env

Final script apacheLogMenu.bash

Make a working directory like ~/SYS-330/week12 and create the script there.

nano apacheLogMenu.bash

Paste the FULL script below.

#!/bin/bash

# Current active log after generating new traffic
# If your entries live in the rotated file, change back to access.log.1
logFile="/var/log/apache2/access.log"

# Show whole log
displayAllLogs() {
  cat "$logFile"
}

# Show unique IPs with counts
displayOnlyIPs() {
  cat "$logFile" | cut -d ' ' -f 1 | sort -n | uniq -c
}

# Show only pages requested
displayOnlyPages() {
  echo "Displaying only pages visited:"
  cat "$logFile" | awk '{print $7}' | sort | uniq -c
}

# Histogram per IP per hour
histogram() {
  local visitsPerDay
  visitsPerDay=$(cat "$logFile" | cut -d " " -f 4,1 | tr -d '[' | sort | uniq)

  :> newtemp.txt
  echo "$visitsPerDay" | while read -r line; do
    local hour ip
    hour=$(echo "$line" | cut -d " " -f 2 | cut -d ":" -f 1)
    ip=$(echo "$line" | cut -d " " -f 1)
    echo "$ip $hour" >> newtemp.txt
  done

  echo "Histogram IP visits by hour:"
  cat newtemp.txt | sort -n | uniq -c
}

# Frequent visitors more than 10 hits
frequentVisitors() {
  echo "Frequent visitors more than 10 visits:"
  # Count per IP across whole file and filter
  cat "$logFile" | cut -d ' ' -f 1 | sort | uniq -c | awk '$1 > 10 {print $0}'
}

# Suspicious visitors based on ioc.txt patterns
suspiciousVisitors() {
  echo "Checking suspicious visitors with ioc.txt"
  if [[ ! -f "ioc.txt" ]]; then
    echo "ioc.txt not found in current directory."
    echo "Create it with indicators like:"
    echo "phpmyadmin"
    echo "wp-login"
    echo "/etc/passwd"
    return
  fi

  echo "IOC patterns:"
  cat ioc.txt
  echo

  # Find log lines that match any IOC, then print unique IPs with counts
  grep -f ioc.txt "$logFile" | awk '{print $1}' | sort | uniq -c
}

# Main menu
while :; do
  echo "==========================================="
  echo "        Apache Log Analysis Menu           "
  echo "==========================================="
  echo "[1] Display all logs"
  echo "[2] Display only IPs"
  echo "[3] Display only pages visited"
  echo "[4] Histogram of visits"
  echo "[5] Frequent visitors more than 10 visits"
  echo "[6] Suspicious visitors using ioc.txt"
  echo "[7] Quit"
  echo "==========================================="
  read -p "Enter your choice: " userInput
  echo

  case "$userInput" in
    1) echo "Displaying all logs:"; displayAllLogs ;;
    2) echo "Displaying only IPs:"; displayOnlyIPs ;;
    3) displayOnlyPages ;;
    4) histogram ;;
    5) frequentVisitors ;;
    6) suspiciousVisitors ;;
    7) echo "Goodbye"; break ;;
    *) echo "Invalid option. Please try again."; ;;
  esac

  echo
done

Make it executable.

chmod +x apacheLogMenu.bash

Run it from the same directory where ioc.txt lives.

sudo ./apacheLogMenu.bash

Expected sample outputs

  • displayOnlyPages shows unique page paths with counts.
  • frequentVisitors shows IPs with more than 10 total hits.
  • suspiciousVisitors lists IP counts that matched patterns in ioc.txt.
  • Any input that is not 1 through 7 prints Invalid option. Please try again.

Optional traffic generator to build logs fast

cat > basic_access_intruder.bash <<'BASH'
#!/bin/bash
IP="127.0.0.1"
for i in $(seq 1 20); do
  curl -s "http://$IP/page2.html" > /dev/null
  echo "request $i done"
done
BASH
chmod +x basic_access_intruder.bash
./basic_access_intruder.bash

What to upload to GitHub

  • apacheLogMenu.bash
  • ioc.txt
  • Screenshots that show:
    • the menu
    • output of option 3 display only pages
    • output of option 5 frequent visitors
    • output of option 6 suspicious visitors
    • invalid option message

That completes the lab.

Champlain College - Andrei Gorlitsky's Academic Wiki

Welcome to my GitHub Wiki! This is where I document my entire Champlain College experience, including assignments, notes, and everything I've learned across all courses until I graduate.

This wiki serves as a central hub for my academic journey, showcasing my growth and knowledge in cybersecurity and beyond.

For more information about Champlain College, visit:
Champlain College

© Andrei Gorlitsky 2025 - Champlain College

⚠️ **GitHub.com Fallback** ⚠️