How To Use Apache Scalp Log Analyzer to Catch Website Attacks

Published Date Author: , Posted August 31st, 2015 at 11:29:40am

Requires Python!

Scalp Home

Download Scalp:
Backup Link:

Original (Broken) XML Rules File:
Fixed XML Rules File:

To Fix the XML file:
(?:all|distinct|[(!@]*)? with (?:all|distinct|[(!@]+)?
(?i:(\%SYSTEMROOT\%)) with (?:(\%[sS][yY][sS][tT][eE][mM][rR][oO][oO][tT]\%))


Current options:
exhaustive: Won’t stop at the first pattern matched, but will test all the patterns
tough: Will decode a part of potential attacks (this is done to use better the regexp from PHP-IDS in order to decrease the false-negative rate)
period: Specify a time-frame to look at, all the rest will be ignored
sample: Does a random sampling of the log lines in order to look at a certain percentage, this is useful when the user doesn’t want to do a full scan of all the log, but just ping it to see if there is some problem…
attack: Specify what classes of vulnerabilities the tool will look at (eg, look only for XSS, SQL Injection, etc.)

Here is a small Perl script as a wrapper around Scalp for when you have multiple VirtualHost entries on your web server, each with different log files (YMMV):

Place, default_filter.xml and the ids script into the $bindir directory you specified in the ids script.

root@myHost:/root/scalp # ./ids
root@myHost:/root/scalp # for i in find . -name "*txt"; do vim $i; done

Here is a very crude but effective non-Scalp hit counter I whipped up, which simply gets the raw count of requests per IP address. Remember that each page render can consist of many calls, so be sure to baseline a normal page load quantity before panicking. As always, YMMV…
If you provide an optional space-delimited list of one or more IP addresses to look for on the command line, the script will output a summary of counts per log file for those IP addresses.

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.