nd
Subscribe to the RSS feed

Keyword - log

Entries feed - Comments feed

Tuesday, September 16 2008

Scalp 0.4: apache log based attack analyzer, updated

By Romain on Tuesday, September 16 2008, 18:27 UTC - Tech

Some time ago, I released a first version of a tool named Scalp. The tool analyzed the Apache HTTPD logs in order to examine if there were attacks or not. The attack detection is based on the rules provided by the PHP-IDS project.

Today, I took time to finalize a bit more the Python version of Scalp. The version 0.4 can now be downloaded on the project web page.

This version includes a couple of features such as:

  • Output in HTML, XML or TEXT format
  • Specify the output directory
  • Using a random sample for scanning the log file
  • Trying to decode the potential attack vectors
  • Returning the lines that couldn't be examined

And then, with some other options that already existed in the previous versions,

  • Select a time frame
  • Select classes of potential attacks

the tool seems to approach a final version.

I won't add more into it since I want to keep it simple and quite fast (I may add optimization if I find some). Also, the C++ version is on its way and mostly done with same amount of options, the code is checkable using the google repository, but I still have to work on options and time-frame specification.

Scalp 0.4:

7 comments

Friday, July 18 2008

Scalp: apache log based attack analyzer

By Romain on Friday, July 18 2008, 16:11 UTC - Tools

I started a project some time ago in order to parse some apache log file, to detect some attacks etc. The attack recognition is based on the PHP-IDS filters.

The first release version is written in Python http://code.google.com/p/apache-scalp/downloads/list but I started (well, almost finished) a faster multi-threaded/C++ version in order to be able to handle bigger log files.

The main project page is reachable here: http://code.google.com/p/apache-scalp

Scalp the apache log! - http://code.google.com/p/apache-scalp
usage:  ./scalp.py [--log|-l log_file] [--filters|-f filter_file]
                   [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
   --log       |-l:  the apache log file './access_log' by default
   --filters   |-f:  the filter file     './default_filter.xml' by default
   --exhaustive|-e:  will report all type of attacks detected and not stop
                     at the first found
   --period    |-p:  the period must be specified in the same format as in
                     the Apache logs using * as wild-card
                     ex: 04/Apr/2008:15:45;*/Mai/2008
                     if not specified at the end, the max or min are taken
   --html      |-h:  generate an HTML output
   --xml       |-x:  generate an XML output
   --text      |-t:  generate a simple text output (default)
   --except    |-c:  generate a file that contains the non examined logs due 
                     to the main regular expression; ill-formed Apache log etc.
   --attack    |-a:  specify the list of attacks to look for
                     list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
                     the list of attacks should not contains spaces and be comma
                     separated
                     ex: xss,sqli,lfi,ref

4 comments

I <3 Bots!