Re: [mod-security-users] Re: Log-parser
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Re: Log-parser
|
From: Ryan B. <rcb...@gm...> - 2005-05-23 20:49:28
|
Evert, Thanks for posting that code! Hey, I have one question/comment for you with regards to the "details" page of your script. Let's take this log entry as an example - http://evert.dyndns.org/modsec/index.php?detail=3D86. Would it be possible to have the script "only" dump the environmental tokens that were present rather than having a bunch of tokens null/empty? The reason that I ask this question is not for aesthetic pusposes but a more practical reason. I am assuming that you have hard coded sections to search for these specific tokens and then report them in the output file. The problem with this approach is what will your script do if the client submits non-standard client headers? Will this be reported? I ran into a similar problem with my use of CGI error scripts with Apache. Initially I was hard coding in specific tokens of interest.=20 I found, however, that I was missing a few headers. I found that is was better to utilize the printenv concept and just dump what was there. This will catch rogue client headers. Doing a quick search of my audit_log file on my web servers shows a bunch of different client headers - Weferer: Wser-Agent: X-Authenticated-User: X-AvantGo-ChannelId: X-AvantGo-ClientLanguage: X-AvantGo-ColorDepth: X-AvantGo-DeviceId: X-AvantGo-DeviceOS: X-AvantGo-DeviceOSVersion: X-AvantGo-DeviceProcessor: X-AvantGo-PlatformData: X-AvantGo-ScreenSize: X-AvantGo-UserId: X-AvantGo-Version: X-Base: X-BlueCoat-Via: X-EGZ: X-FORWARDED-FOR: X-Forwarded-For: X-ICAP-Version: X-IMForwards: X-Moz: X-NovINet: X-Novinet: X-User-Ip: X-Vermeer-Content-Type: Thoughts? --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC On 5/23/05, Evert <ev...@di...> wrote: > for al who were interrested. i made my last release available on the web: > http://www.digipix.org/~evert/modseclogwatch-v0.0.3.tar.gz >=20 > the time-problem i spoke of in my previous post are solved now. a simple > readme for installation is included. >=20 > for any comments and ideas or changes in my code please send me a > note :) >=20 > kind regards, > Evert >=20 > btw: sorry for some of the dutch comments in my code. will try to > rewrite them if i have the time. >=20 >=20 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
