How To Use Apache Scalp Log Analyzer to Catch Website Attacks

Published Date Author: , Posted August 31st, 2015 at 11:29:40am

Requires Python!

Scalp Home
https://code.google.com/p/apache-scalp/

Download Scalp:
https://code.google.com/p/apache-scalp/downloads/detail?name=scalp-0.4.py
Backup Link:
http://www.wyzaerd.com/scalp/scalp-0.4.py

Original (Broken) XML Rules File:
https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
Fixed XML Rules File:
http://www.wyzaerd.com/scalp/default_filter.xml

To Fix the XML file:
Replace:
(?:all|distinct|[(!@]*)? with (?:all|distinct|[(!@]+)?
and:
(?i:(\%SYSTEMROOT\%)) with (?:(\%[sS][yY][sS][tT][eE][mM][rR][oO][oO][tT]\%))

Examples:

Current options:
exhaustive: Won’t stop at the first pattern matched, but will test all the patterns
tough: Will decode a part of potential attacks (this is done to use better the regexp from PHP-IDS in order to decrease the false-negative rate)
period: Specify a time-frame to look at, all the rest will be ignored
sample: Does a random sampling of the log lines in order to look at a certain percentage, this is useful when the user doesn’t want to do a full scan of all the log, but just ping it to see if there is some problem…
attack: Specify what classes of vulnerabilities the tool will look at (eg, look only for XSS, SQL Injection, etc.)


Automation
Here is a small Perl script as a wrapper around Scalp for when you have multiple VirtualHost entries on your web server, each with different log files (YMMV):

Place scalp-0.4.py, default_filter.xml and the ids script into the $bindir directory you specified in the ids script.

root@myHost:/root/scalp # ./ids
root@myHost:/root/scalp # for i in find . -name "*txt"; do vim $i; done


Here is a very crude but effective non-Scalp hit counter I whipped up, which simply gets the raw count of requests per IP address. Remember that each page render can consist of many calls, so be sure to baseline a normal page load quantity before panicking. As always, YMMV…
If you provide an optional space-delimited list of one or more IP addresses to look for on the command line, the script will output a summary of counts per log file for those IP addresses.

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.