In [2]:
import urllib.parse
import re

def normalize(data):
    if not data:
        return ""
    for _ in range(3):  # recursive decode
        data = urllib.parse.unquote_plus(data)
    data = data.lower()
    data = re.sub(r"\s+", " ", data)
    return data.strip()


In [3]:
SQLI_SIGNS = [
    " or 1=1",
    "union select",
    "information_schema",
    "benchmark(",
    "sleep(",
    "--",
    "'"
]

def detect_sqli(text):
    for s in SQLI_SIGNS:
        if s in text:
            return True
    return False


In [4]:
CMD_SIGNS = [
    ";",
    "&&",
    "|",
    "||",
    "`",
    "$("
]

def detect_cmd(text):
    for s in CMD_SIGNS:
        if s in text:
            return True
    return False


In [5]:
PATH_SIGNS = [
    "../",
    "..\\",
    "/etc/passwd",
    "php://",
    "file://",
    "data://"
]

def detect_path(text):
    for s in PATH_SIGNS:
        if s in text:
            return True
    return False


In [6]:
XSS_SIGNS = [
    "<script",
    "</script>",
    "onerror=",
    "onload=",
    "javascript:"
]

def detect_xss(text):
    for s in XSS_SIGNS:
        if s in text:
            return True
    return False


In [7]:
DANGEROUS_FILES = [
    ".php",
    ".py",
    ".exe",
    ".jsp",
    ".sh"
]

def detect_file(text):
    for f in DANGEROUS_FILES:
        if f in text:
            return True
    return False


In [8]:
def analyze_log_entry(entry):
    text = normalize(entry)

    results = []

    if detect_sqli(text):
        results.append("SQL_INJECTION")

    if detect_cmd(text):
        results.append("COMMAND_INJECTION")

    if detect_path(text):
        results.append("PATH_TRAVERSAL")

    if detect_xss(text):
        results.append("XSS")

    if detect_file(text):
        results.append("FILE_UPLOAD_ABUSE")

    return results


In [10]:
raw_logs = [
  "2025-12-30T11:03:19.539529Z,\"('127.0.0.1', 42332)\",GET,http://192.168.122.170/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"

]


In [11]:
for i, log in enumerate(raw_logs, 1):
    attacks = analyze_log_entry(log)
    print(f"\nRequest {i}")
    print("Raw:", log)
    print("Detected:", attacks if attacks else "CLEAN")



Request 1
Raw: 2025-12-30T11:03:19.539529Z,"('127.0.0.1', 42332)",GET,http://192.168.122.170/dvwa/vulnerabilities/sqli/?id=%27+OR+1%3D1+--&Submit=Submit
Detected: ['SQL_INJECTION']

Request 2
Raw: 2025-12-30T11:06:09.572621Z,"('127.0.0.1', 58512)",GET,http://192.168.122.170/dvwa/vulnerabilities/fi/?page=include.php
Detected: ['SQL_INJECTION', 'FILE_UPLOAD_ABUSE']

Request 3
Raw: 2025-12-30T11:07:58.211196Z,"('127.0.0.1', 38696)",POST,http://192.168.122.170/dvwa/vulnerabilities/exec/,ip=%3Bls&submit=submit
Detected: ['SQL_INJECTION', 'COMMAND_INJECTION']

Request 4
Raw: 2025-12-30T11:41:16.212493Z,"('127.0.0.1', 37666)",GET,http://192.168.122.170/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert("Hacked")%3C%2Fscript%3E
Detected: ['SQL_INJECTION', 'XSS']

Request 5
Raw: filename="file.py" content-type=text/python
Detected: ['FILE_UPLOAD_ABUSE']
