[Dshield] apache log analyzer

dshield.org@keithbergen.com dshield.org at keithbergen.com
Wed May 18 15:00:45 GMT 2005


I found a Perl script that parsed the Access log file for certain patterns.
I made some significant modifications to it and use it for my own site.

Some of the bad parts are that it only parses 1 access log file (It could be
modified to parse access error logs). I only have a few signatures of
"attacks", and that hasn't been updated in quite a while. It runs slowly
because it parses the entire error log file (chomp didn't seem to speed it
up). It calls two small GIFs (of different colored dots) to produce a bar
chart. You can probably just create two to your liking.

Source is quoted here (Moderator can remove if that's against the rules and
I will send by request):

=-=-=-=-snip-=-=-=-=
#!C:/perl/bin/perl.exe -w
#####
# aTTACK cOUNTER v0.22 - filename: ac.pl
#
# Written by Marc Nause with vi.
# Questions? marc at audioattack.de * http://low.audioattack.de
# Last modified: Feb.01.2003 by Marc Nause
#
# This is free software. You may copy and change it the
# way you like it. You may not take any money for
# distributing it.
#
# This program reads the logfiles of the Apache server
# and shows how many times the server has been attacked by:
# - NIMDA	(worm)
# - CODE RED	(worm)
# - CGICHK	(scans for CGI scripts with known vulnerabilities)
# - WELCHIA/WEBDAV	(Some scanner that is similar to CGICHK, but I still
don't know what it is.)
#####
# Major modifications from Marc's original code. Keith Bergen - March 30,
2003.
# - Now it runs as a CGI that generates the HTML code online so that you
don't need to 
#   run it and then open another file.
# - Removed all of the extraneous statements.
# - Fixed some perl problems - may have been identified because I use Perl
5.8.0.
# - No longer uses separate header and footer files. They are incorporated
into
#   the code. This was a personal preference.
# - Show IP and date of last attack.
# - Removed the one called "thing". Never got a hit on that one anyhow.
# - Added the Webdav/Welchia exploit attempts.
#####

# paths and filenames
$logfile="D:/var/logs/access.log";
$ffs="<font face=\"Georgia\" size=\"2\">";

# open logfile
open(FILE, $logfile) or die "Can't open $logfile!\n\n";

# Initialize Variables
$countnimda=0;
$countcodered=0;
$countwebdav=0;
$datenimda="";
$datecodered="";
$datewebdav="";
$ipnimda="";
$ipcodered="";
$ipwebdav="";

while($line = <FILE>)
{
	$requests++;
	#get dates
	$start = (index $line,"[")+1;
	$end = (index $line,"]")-6;
	$date = substr $line,$start,($end-$start);

	if ($requests == 1)
	{
		$date1 = $date;
	}
	else 
	{
		$date2 = $date;
	}

	#get IP address
	$ipend = (index $line, " ")+1;
	$ip = substr $line, 0, $ipend;

	#count NIMDA
	if ($line =~ /\/root\.exe\?\/c/i) {$countnimda++; $datenimda=$date2;
$ipnimda=$ip}
	if ($line =~ /\/cmd\.exe\?\/c/i) {$countnimda++; $datenimda=$date2;
$ipnimda=$ip}
	#count CODE RED
	if ($line =~ /\/default\.ida\?/i) {$countcodered++;
$datecodered=$date2; $ipcodered=$ip}
	#count WEBDAV/WELCHIA
      if ($line =~ /SEARCH \/\\x90/i) {$countwebdav++; $datewebdav=$date2;
$ipwebdav=$ip}
}

# close logfile
close FILE;

# calculate some stuff
$total=$countnimda+$countcodered+$countwebdav;

if ($total < 1) {$total = 1;$total2 = 0} else {$total2 = 1}
$percentnimda = (($countnimda/$total)*100);
if ($percentnimda < 100) {$percentnimda = substr $percentnimda,0,2} else
{$percentnimda = 100}
if (($countnimda > 0)&&($percentnimda < 1)) {$percentnimda = 1}
$minusnimda = (100 - $percentnimda);

$percentcodered=(($countcodered/$total)*100);
if ($percentcodered < 100) {$percentcodered = substr $percentcodered,0,2}
else {$percentcodered = 100}
if (($countcodered > 0)&&($percentcodered < 1)) {$percentcodered = 1}
$minuscodered = (100 - $percentcodered);
 
$percentwebdav=(($countwebdav/$total)*100);
if ($percentwebdav < 100) {$percentwebdav = substr $percentwebdav,0,2} else
{$percentwebdav = 100}
if (($countwebdav > 0)&&($percentwebdav < 1)) {$percentwebdav = 1}
$minuswebdav = (100 - $percentwebdav);

print "Content-type:text/html\n\n";
print "<html><head><title>Attack Counter</title><body>";
print "$ffs";
print "$ffs<center>$total web server attacks - ($date1 to
$date2)</font><br>";
print "<table border=\"2\">\n";

print "<tr><td>$ffs";
print "Attack</font></td><td>$ffs";
print "Count</font></td><td>$ffs";
print "Percent</font></td><td>$ffs";
print "Last Attempted Attack</font></td><td>$ffs";
print "Last Address</font></td></tr>";
if ($percentcodered > 0) {print "<tr><td align=\"left\">$ffs Code
Red</font></td><td align=\"right\">$ffs$countcodered</font></td><td
align=\"left\">$ffs<img src=\"/ac022/ac1.gif\" height=\"10\"
width=\"$percentcodered\"><img src=\"/ac022/ac2.gif\" height=\"10\"
width=\"$minuscodered\"></font></td><td>$ffs$datecodered</font></td><td>$ffs
$ipcodered</font></td></tr>"}
if ($percentnimda > 0) {print "<tr><td align=\"left\">$ffs
Nimda</font></td><td align=\"right\">$ffs$countnimda</font></td><td
align=\"left\">$ffs<img src=\"/ac022/ac1.gif\" height=\"10\"
width=\"$percentnimda\"><img src=\"/ac022/ac2.gif\" height=\"10\"
width=\"$minusnimda\"></font></td><td>$ffs$datenimda</font></td><td>$ffs$ipn
imda</font></td></tr>"}
if ($percentwebdav > 0) {print "<tr><td align=\"left\">$ffs
Welchia/Webdav</font></td><td
align=\"right\">$ffs$countwebdav</font></td><td align=\"left\">$ffs<img
src=\"/ac022/ac1.gif\" height=\"10\" width=\"$percentwebdav\"><img
src=\"/ac022/ac2.gif\" height=\"10\"
width=\"$minuswebdav\"></font></td><td>$ffs$datewebdav</font></td><td>$ffs$i
pwebdav</font></td></tr>"}

print "</table></center></font></body><address><font face=\"Georgia\"
size=\"1\"><center>";
print "These are attacks that are intended for Microsoft's IIS server. ";
print "As you can see, I run an Apache server, and thus am not susceptible
to these particular attacks.";
print "</font></address></html>";
=-=-=-=-snip-=-=-=-=

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Suscripcions tsolucio
Sent: Wednesday, May 18, 2005 7:31 AM
To: General DShield Discussion List
Subject: [Dshield] apache log analyzer


I want to make statistics about the attacks that our apache server suffers
every day, and of course know the attack and the source. There is a program
that analyze the logs and make a report based only in the attacks? I don't
mind about the visits,etc... Thanks

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list