Re: [mod-security-users] Log-parser

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Evert,
That is a cool looking interface.  Reminds me of the SnortSnarf
output.  I would be interested in the code if you could make it
available.

FYI - I am writing a book on Apache security/intrusion detection.  I
am currently writing a chapter on log monitoring/analysis.  I would
like to include this code if you don't mind.  I would of course give
you proper credit :)

Additionally, I have a PERL script I call sgrep.pl that will parse
through the audit_log and extract out an entire record that has the
search text in it.  Here is some example output -

# ./sgrep.pl -f audit_log -s "passwd.txt" |less
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: 62.103.182.12 - - [Fri Mar 12 03:55:49 2004] "HEAD
http://www.abrianna.com/ccbill/password/htpasswd.txt  HTTP/1.0" 404 0
Handler: proxy-server
----------------------------------------
HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt  HTTP/1.0
Cache-Control: no-cache
Connection: close
Host: www.abrianna.com
Pragma: no-cache
Proxy-Connection: keep-alive
Referer: http://www.abrianna.com/ccbill/password/htpasswd.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

HTTP/1.0 404 Not Found
Content-Type: text/html; charset=3Diso-8859-1
X-Cache: MISS from www.testproxy.net
Connection: close

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: 217.160.165.173 - - [Fri Mar 12 22:41:17 2004] "GET
/wwwboard/passwd.txt HTTP/1.1" 200 578
Handler: (null)
--CUT--

Let me know if anyone is interested in the sgrep.pl script and I will
post it to the list.

Thanks,

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC

On 5/10/05, Evert <ev...@di...> wrote:
> since there were nog audit_log parsers around i wrote one myself. is some=
body
> interrested in the code? then i can put it online somewhere.
>=20
> the ouput is like this: http://evert.dyndns.org/modsec/
>=20
> kind regards,
> Evert Daman
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>=20

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC