Skip to content

Set of CLI tools to transform ModSecurity logs into a meaningful information, given a context.

License

Notifications You must be signed in to change notification settings

SpiderLabs/ModSecurity-log-utilities

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ModSecurity log parser

Transforms the ModSecurity error logs (web server portion) into a meaningful information given a context.

This solution was initially made to verify the correctness of the ModSecurity version 3 when compared to ModSecurity version 2. But it also has great value for ModSecurity users in general, that wants to categorize and have a pretty print view of their logs.

How to Install

This set of scripts does not demands installation, proced with the code download followed by the execution. You should be able to run out-of-the-box.

Python will let you know if there is a missing dependency.

How to use it

This is a set of scripts that can be used to parse and compare ModSecurity logs. The scripts are listed below.

modsec-log-parser.py

This script reads the webserver error log and summarize the ModSecurity messages in the output. Here is an example of the output:

$ ./modsec-log-parser.py --summary="uri,id,msg" /var/log/apache2/error.log
/mpcgi/book.cgi 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 20 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=10,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found
/mpcgi/book.cgi 913100 Found User-Agent associated with security scanner
/mpcgi/book.cgi 932160 Remote Command Execution: Unix Shell Code Found
/mpcgi/book.cgi 930120 OS File Access Attempt
/mpcgi/book.cgi 949110 Inbound Anomaly Score Exceeded (Total Score: 20)
/mpcgi/book.cgi 932100 Remote Command Execution: Unix Command Injection

modsec-log-compare.py

You can use this scripts to compare the output of two files generated by the modsec-log-parser.py.

$ ./modsec-log-compare.py nginx.txt apache.txt

*** diff at: /search.asp

In: nginx.txt
 - 913100 Found User-Agent associated with security scanner
 - 920270 Invalid character in request (null character)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 13)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 5)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 13 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Invalid character in request (null character)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner
 
In: apache.txt
 - 913100 Found User-Agent associated with security scanner
 - 920270 Invalid character in request (null character)
 - 941100 XSS Attack Detected via libinjection
 - 941110 XSS Filter - Category 1: Script Tag Vector
 - 941160 NoScript XSS InjectionChecker: HTML Injection
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 28)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 5)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 28 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner

Notice: The first entry will be used as a comparison key.

Alternatives and similar

About

Set of CLI tools to transform ModSecurity logs into a meaningful information, given a context.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages