[Logwatch-Devel] Fwd: logwatch ^ mod_security

Kirk Bauer kirk at kaybee.org
Wed Jun 13 22:00:19 MST 2007


Another one from Brian guys...

---------- Forwarded message ----------
From: Brian Kroth <bpkroth at wisc.edu>
Date: Jun 13, 2007 2:45 PM
Subject: logwatch ^ mod_security
To: logwatch-devel at logwatch.org, logwatch-suggestions at logwatch.org

Here's another script for you if you'd like to include it (I sent one
previously for windows events).  This one takes Apache's "ErrorLog
syslog:facility" data and generates reports on items matching
mod_security rules.  The script could probably be modified easily enough
to work with normal ErrorLog'ing as well, but this way I can do site
wide reporting from a syslog server.

Cheers,
Brian

#!/usr/bin/perl
# mod_security
# 2007-06-13
# Brian Kroth
#
# This file parses through log entries to find those related to mod_security
warnings.
# It then groups them by attacker, message, and target.

use lib "/usr/share/logwatch/lib";
use Logwatch ':all';

my $detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

my ($host, $attacker, $details, $ruleid, $msg, $target);

LINE: while (defined($line = <STDIN>)) {
        if ($line =~
/^(\S+\s+){3}(\S+)\s+apache2\[[0-9]+\]:\s+\[error\]\s+\[client\s+(\S+)\]\s+ModSecurity(.+)/)
{
                # These two are always present
                #$host = $2;
                $attacker = $3;

                $details = $4;
                undef $ruleid;
                undef $msg;
                undef $target;

                # ignore these messages
                next LINE if ($details =~ /Connection reset by peer/ ||
$details =~ /robot activity/);

                # Set this if they're available
                if ($details =~ /\[id\s+"([0-9]+)"\]/) {
                        $ruleid = $1;
                }
                if ($details =~ /\[msg\s+"([^"]+)"\]/) {
                        $msg = $1;
                        $msg =~ s/^(.+)\s+Matched signature.+$/$1/;
                }
                if ($details =~ /\[hostname\s+"(\S+)"\]/) {
                        $target = $1;
                }

                #print "DEBUG ModSecurity \thost:$host
\tattacker:".LookupIP($attacker)." \truleid:$ruleid \tmsg:$msg
\ttarget:$target\n";

                # First group by attacker as best we can
                if (defined($msg)) {
                        if (defined($target)) {
                                $byAttacker{$attacker}{$msg}{$target}++;
                        }
                        else {
                                $byAttacker{$attacker}{$msg}{"-"}++;
                        }
                }
                elsif (defined($ruleid)) {
                        if (defined($target)) {
                                $byAttacker{$attacker}{$ruleid}{$target}++;
                        }
                        else {
                                $byAttacker{$attacker}{$ruleid}{"-"}++;
                        }
                }
                elsif (defined($target)) {
                        $byAttacker{$attacker}{"-"}{$target}++;
                }
                else {
                        $byAttacker{$attacker}{"-"}{"-"}++;
                }

                # Next group by rule as best we can.
                if (defined($msg)) {
                        if (defined($target)) {
                                $byRule{$msg}{$target}{$attacker}++;
                        }
                        else {
                                $byRule{$msg}{"-"}{$attacker}++;
                        }
                }
                elsif (defined($ruleid)) {
                        if (defined($target)) {
                                $byRule{$ruleid}{$target}{$attacker}++;
                        }
                        else {
                                $byRule{$ruleid}{"-"}{$attacker}++;
                        }

                }
                else {
                        if (defined($target)) {
                                $byRule{"-"}{$target}{$attacker}++;
                        }
                        else {
                                $byRule{"-"}{"-"}{$attacker}++;
                        }
                }


                # Finally, group by target as best we can.
                if (defined($target)) {
                        if (defined($msg)) {
                                $byTarget{$target}{$msg}{$attacker}++;
                        }
                        elsif (defined($ruleid)) {
                                $byTarget{$target}{$ruleid}{$attacker}++;
                        }
                        else {
                                $byTarget{$target}{"-"}{$attacker}++;
                        }
                }
                else {
                        if (defined($msg)) {
                                $byTarget{"-"}{$msg}{$attacker}++;
                        }
                        elsif (defined($ruleid)) {
                                $byTarget{"-"}{$ruleid}{$attacker}++;
                        }
                        else {
                                $byTarget{"-"}{"-"}{$attacker}++;
                        }
                }
        }
}

if (keys %byAttacker) {
        printLevel3("ModSecurity: Reporting by Attacker, Rule, Target",
\%byAttacker);
}

if (keys %byRule) {
        printLevel3("ModSecurity: Reporting by Rule, Target, Attacker",
\%byRule);
}

if (keys %byTarget) {
        printLevel3("ModSecurity: Reporintg by Target, Rule, Attacker",
\%byTarget);
}

# Prints a hash that's three levels deep in a generic hierarchical manor
sub printLevel3 {
        my $msg = $_[0];
        my %data = %{$_[1]};

        print "\n\t---- $msg ----\n\n";
        foreach $first (sort(keys %data)) {
                $first_total = 0;
                foreach $second (keys %{$data{$first}}) {
                        $second_total{$second} = 0;
                        foreach $third (keys %{$data{$first}{$second}}) {
                                $second_total{$second} +=
$data{$first}{$second}{$third};
                        }
                        $first_total += $second_total{$second};
                }

                print "\t" . LookupIP($first) . ":  $first_total Time(s)\n";
                foreach $second (sort(keys %{$data{$first}})) {
                        print "\t\t" . LookupIP($second) .
":  $second_total{$second} Time(s)\n";
                        foreach $third (sort(keys
%{$data{$first}{$second}})) {
                                print "\t\t\t" . LookupIP($third) .
"  $data{$first}{$second}{$third} Time(s)\n";
                        }
                }
                print "\n";
        }
}




-- 
Kirk Bauer <kirk at kaybee.org>
http://linux.kaybee.org | www.autorpm.org | www.logwatch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www2.list.logwatch.org:81/pipermail/logwatch-devel/attachments/20070613/d57dd153/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3406 bytes
Desc: not available
Url : http://www2.list.logwatch.org:81/pipermail/logwatch-devel/attachments/20070613/d57dd153/attachment-0001.bin 


More information about the Logwatch-Devel mailing list