Thread: [mod-security-users] Log-parser
Brought to you by:
victorhora,
zimmerletw
From: Evert <ev...@di...> - 2005-05-10 08:39:03
|
since there were nog audit_log parsers around i wrote one myself. is somebody interrested in the code? then i can put it online somewhere. the ouput is like this: http://evert.dyndns.org/modsec/ kind regards, Evert Daman |
From: Alberto G. I. <ag...@in...> - 2005-05-20 09:11:02
|
On Tue, May 10, 2005 at 08:04:41AM +0000, Evert wrote: > since there were nog audit_log parsers around i wrote one myself. is so= mebody=20 > interrested in the code? then i can put it online somewhere. >=20 > the ouput is like this: http://evert.dyndns.org/modsec/ >=20 > kind regards, > Evert Daman Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. :) --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
From: Tom A. <tan...@oa...> - 2005-05-20 15:16:58
|
From: "Evert" <ev...@di...> > since there were nog audit_log parsers around i wrote one myself There were two audit_log parsers posted to this list just last month. http://orderamidchaos.com/modsec/modsec_auditlog_parser http://prwdot.org/code/modsecauditlogparse.txt Tom |
From: Evert <eve...@ho...> - 2005-05-22 12:32:13
|
yes, but both weren't webbased.... fixed the login problem :) "Tom Anderson" <tan...@oa...> wrote in message news:036b01c55d4e$8dec6800$6ecfcfcf@Betson110... > From: "Evert" <ev...@di...> > > since there were nog audit_log parsers around i wrote one myself > > There were two audit_log parsers posted to this list just last month. > > http://orderamidchaos.com/modsec/modsec_auditlog_parser > http://prwdot.org/code/modsecauditlogparse.txt > > Tom > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click |
From: Ryan B. <rcb...@gm...> - 2005-05-22 17:48:26
|
Evert, That is a cool looking interface. Reminds me of the SnortSnarf output. I would be interested in the code if you could make it available. FYI - I am writing a book on Apache security/intrusion detection. I am currently writing a chapter on log monitoring/analysis. I would like to include this code if you don't mind. I would of course give you proper credit :) Additionally, I have a PERL script I call sgrep.pl that will parse through the audit_log and extract out an entire record that has the search text in it. Here is some example output - # ./sgrep.pl -f audit_log -s "passwd.txt" |less =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 62.103.182.12 - - [Fri Mar 12 03:55:49 2004] "HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt HTTP/1.0" 404 0 Handler: proxy-server ---------------------------------------- HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt HTTP/1.0 Cache-Control: no-cache Connection: close Host: www.abrianna.com Pragma: no-cache Proxy-Connection: keep-alive Referer: http://www.abrianna.com/ccbill/password/htpasswd.txt User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HTTP/1.0 404 Not Found Content-Type: text/html; charset=3Diso-8859-1 X-Cache: MISS from www.testproxy.net Connection: close =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 217.160.165.173 - - [Fri Mar 12 22:41:17 2004] "GET /wwwboard/passwd.txt HTTP/1.1" 200 578 Handler: (null) --CUT-- Let me know if anyone is interested in the sgrep.pl script and I will post it to the list. Thanks, --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC On 5/10/05, Evert <ev...@di...> wrote: > since there were nog audit_log parsers around i wrote one myself. is some= body > interrested in the code? then i can put it online somewhere. >=20 > the ouput is like this: http://evert.dyndns.org/modsec/ >=20 > kind regards, > Evert Daman >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC |
From: Markus R. <we...@mr...> - 2005-05-23 08:24:42
|
really nice looking. i also would be interested ;-) thanxs markus Ryan Barnett wrote: > Evert, > That is a cool looking interface. Reminds me of the SnortSnarf > output. I would be interested in the code if you could make it > available. > > > Let me know if anyone is interested in the sgrep.pl script and I will > post it to the list. > > Thanks, > >> On 5/10/05, Evert <ev...@di...> wrote: >> since there were nog audit_log parsers around i wrote one myself. is somebody >> interrested in the code? then i can put it online somewhere. >> >> the ouput is like this: http://evert.dyndns.org/modsec/ >> >> kind regards, >> Evert Daman >> |
From: Evert <eve...@ho...> - 2005-05-23 06:38:42
|
sure. but there's one little bug in it (this morning i noticed that 20:00 is put in the dbase as 2:00, don't know why yet...). when that one is out i'll post my code here. kind regards, Evert "Ryan Barnett" <rcb...@gm...> wrote in message news:cba...@ma...... Evert, That is a cool looking interface. Reminds me of the SnortSnarf output. I would be interested in the code if you could make it available. FYI - I am writing a book on Apache security/intrusion detection. I am currently writing a chapter on log monitoring/analysis. I would like to include this code if you don't mind. I would of course give you proper credit :) Additionally, I have a PERL script I call sgrep.pl that will parse through the audit_log and extract out an entire record that has the search text in it. Here is some example output - # ./sgrep.pl -f audit_log -s "passwd.txt" |less ======================================== Request: 62.103.182.12 - - [Fri Mar 12 03:55:49 2004] "HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt HTTP/1.0" 404 0 Handler: proxy-server ---------------------------------------- HEAD http://www.abrianna.com/ccbill/password/htpasswd.txt HTTP/1.0 Cache-Control: no-cache Connection: close Host: www.abrianna.com Pragma: no-cache Proxy-Connection: keep-alive Referer: http://www.abrianna.com/ccbill/password/htpasswd.txt User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HTTP/1.0 404 Not Found Content-Type: text/html; charset=iso-8859-1 X-Cache: MISS from www.testproxy.net Connection: close ======================================== Request: 217.160.165.173 - - [Fri Mar 12 22:41:17 2004] "GET /wwwboard/passwd.txt HTTP/1.1" 200 578 Handler: (null) --CUT-- Let me know if anyone is interested in the sgrep.pl script and I will post it to the list. Thanks, -- Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC On 5/10/05, Evert <ev...@di...> wrote: > since there were nog audit_log parsers around i wrote one myself. is somebody > interrested in the code? then i can put it online somewhere. > > the ouput is like this: http://evert.dyndns.org/modsec/ > > kind regards, > Evert Daman > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_idt12&alloc_id344&op=ick |
From: Evert <ev...@di...> - 2005-05-23 19:40:49
|
for al who were interrested. i made my last release available on the web: http://www.digipix.org/~evert/modseclogwatch-v0.0.3.tar.gz the time-problem i spoke of in my previous post are solved now. a simple readme for installation is included. for any comments and ideas or changes in my code please send me a note :) kind regards, Evert btw: sorry for some of the dutch comments in my code. will try to rewrite them if i have the time. |
From: Ryan B. <rcb...@gm...> - 2005-05-23 20:49:28
|
Evert, Thanks for posting that code! Hey, I have one question/comment for you with regards to the "details" page of your script. Let's take this log entry as an example - http://evert.dyndns.org/modsec/index.php?detail=3D86. Would it be possible to have the script "only" dump the environmental tokens that were present rather than having a bunch of tokens null/empty? The reason that I ask this question is not for aesthetic pusposes but a more practical reason. I am assuming that you have hard coded sections to search for these specific tokens and then report them in the output file. The problem with this approach is what will your script do if the client submits non-standard client headers? Will this be reported? I ran into a similar problem with my use of CGI error scripts with Apache. Initially I was hard coding in specific tokens of interest.=20 I found, however, that I was missing a few headers. I found that is was better to utilize the printenv concept and just dump what was there. This will catch rogue client headers. Doing a quick search of my audit_log file on my web servers shows a bunch of different client headers - Weferer: Wser-Agent: X-Authenticated-User: X-AvantGo-ChannelId: X-AvantGo-ClientLanguage: X-AvantGo-ColorDepth: X-AvantGo-DeviceId: X-AvantGo-DeviceOS: X-AvantGo-DeviceOSVersion: X-AvantGo-DeviceProcessor: X-AvantGo-PlatformData: X-AvantGo-ScreenSize: X-AvantGo-UserId: X-AvantGo-Version: X-Base: X-BlueCoat-Via: X-EGZ: X-FORWARDED-FOR: X-Forwarded-For: X-ICAP-Version: X-IMForwards: X-Moz: X-NovINet: X-Novinet: X-User-Ip: X-Vermeer-Content-Type: Thoughts? --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC On 5/23/05, Evert <ev...@di...> wrote: > for al who were interrested. i made my last release available on the web: > http://www.digipix.org/~evert/modseclogwatch-v0.0.3.tar.gz >=20 > the time-problem i spoke of in my previous post are solved now. a simple > readme for installation is included. >=20 > for any comments and ideas or changes in my code please send me a > note :) >=20 > kind regards, > Evert >=20 > btw: sorry for some of the dutch comments in my code. will try to > rewrite them if i have the time. >=20 >=20 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
From: Evert <ev...@di...> - 2005-05-23 21:18:09
|
> The problem with this approach is > what will your script do if the client submits non-standard client > headers? Will this be reported? nope. but i hadn't seen any other tokens then the tokens i search for in my parser script, so i didn't know that others where available. what i can do is make an extra field in the dbase with 'other tokens' then the tokens i search for... or redesign the parser to include only the tokens that are available for a specific 'attack'. hmm. let me think about this. maybe you can help me a bit by sending some entries of your audit_log with those extra headers. kind regards, Evert |