[mod-security-users] Re: Log-parser

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

sure. but there's one little bug in it (this morning i noticed that 20:00 is
put in
the dbase as 2:00, don't know why yet...). when that one is out i'll post my
code here.

kind regards,
Evert

"Ryan Barnett" <rcb...@gm...> wrote in message
news:cba...@ma......
Evert,
That is a cool looking interface.  Reminds me of the SnortSnarf
output.  I would be interested in the code if you could make it
available.

FYI - I am writing a book on Apache security/intrusion detection.  I
am currently writing a chapter on log monitoring/analysis.  I would
like to include this code if you don't mind.  I would of course give
you proper credit :)

Additionally, I have a PERL script I call sgrep.pl that will parse
through the audit_log and extract out an entire record that has the
search text in it.  Here is some example output -

# ./sgrep.pl -f audit_log -s "passwd.txt" |less
========================================
Request: 62.103.182.12 - - [Fri Mar 12 03:55:49 2004] "HEAD
http://www.abrianna.com/ccbill/password/htpasswd.txt  HTTP/1.0" 404 0
Handler: proxy-server
----------------------------------------
HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt  HTTP/1.0
Cache-Control: no-cache
Connection: close
Host: www.abrianna.com
Pragma: no-cache
Proxy-Connection: keep-alive
Referer: http://www.abrianna.com/ccbill/password/htpasswd.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

HTTP/1.0 404 Not Found
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from www.testproxy.net
Connection: close

========================================
Request: 217.160.165.173 - - [Fri Mar 12 22:41:17 2004] "GET
/wwwboard/passwd.txt HTTP/1.1" 200 578
Handler: (null)
--CUT--

Let me know if anyone is interested in the sgrep.pl script and I will
post it to the list.

Thanks,

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC

On 5/10/05, Evert <ev...@di...> wrote:
> since there were nog audit_log parsers around i wrote one myself. is
somebody
> interrested in the code? then i can put it online somewhere.
>
> the ouput is like this: http://evert.dyndns.org/modsec/
>
> kind regards,
> Evert Daman
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=ick