By Romain Friday, July 18 2008 - 16:11 UTC - Tools - Permalink
I started a project some time ago in order to parse some apache log file, to detect some attacks etc. The attack recognition is based on the PHP-IDS filters.
The first release version is written in Python http://code.google.com/p/apache-scalp/downloads/list but I started (well, almost finished) a faster multi-threaded/C++ version in order to be able to handle bigger log files.
The main project page is reachable here: http://code.google.com/p/apache-scalp
Scalp the apache log! - http://code.google.com/p/apache-scalp
usage: ./scalp.py [--log|-l log_file] [--filters|-f filter_file]
[--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
--log |-l: the apache log file './access_log' by default
--filters |-f: the filter file './default_filter.xml' by default
--exhaustive|-e: will report all type of attacks detected and not stop
at the first found
--period |-p: the period must be specified in the same format as in
the Apache logs using * as wild-card
ex: 04/Apr/2008:15:45;*/Mai/2008
if not specified at the end, the max or min are taken
--html |-h: generate an HTML output
--xml |-x: generate an XML output
--text |-t: generate a simple text output (default)
--except |-c: generate a file that contains the non examined logs due
to the main regular expression; ill-formed Apache log etc.
--attack |-a: specify the list of attacks to look for
list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
the list of attacks should not contains spaces and be comma
separated
ex: xss,sqli,lfi,ref
Comments
I have problems to run script..with python 2.4.3 I have error:
File "scalp.py", line 202
with open(access) as log_file:
^
SyntaxError: invalid syntax
whats wrong?
I believe the with statement has been introduced in the __future__ in the 2.5.x versions of python...
But it's very easy to bypass the "with" just by something like this
stream = None
log_file = None
try:
stream = open(access, 'r')
log_file = stream.readlines()
except IOError:
print "Cannot find open the file", access
Hi,
I would really appreciate to get this tool running, but on RHEL 4/5 the python versions are 2.3/2.4.
On code.google.com you mentioned that you would possibly release a version for that older python-versions.
Are you still willing to do this ? This would be very nice :)
Kind regards
Tim
Is there any info on what the attack type abbreviations mean? I guess:
xss => cross site scripting
sqli => sql injection
csrf => cross site request forgery
dos => denial of service
spam => spam ;)
lfi => local file inclusion.
But what about id, and ref?