Friday, June 5, 2015

Analyze Apache Access Logs for Malicious Activity

Let's say I have an Apache Web Server access log. I think something fishy was going on yesterday, but I don't want to manually parse through all the disgusting text based logs to find the craziness. I could write a custom python script, splash in some amazing regular expressions, and try to find the bad stuff on my own. Or I could just use somebody else's :-)

Here in lies a tool like apache scalp. It's a free python script you can download and execute. The only pre-requisites are that you have python installed and that you download the default filter xml file.

Then run the script
  python.exe -l www.mysite_log -o myoutputfolder --html -f default_filter.xml
  Loading XML file 'default_filter.xml'...
  Processing the file 'www.mysite_log'...
  Scalp results:
         Processed 873 lines over 873
         Found 6 attack patterns in 0.581000 s
  Generating output in myoutputfolder\www.mysite_log_scalp_*

It generates a pretty html file that you can open in your browser from the myoutputfolder location. Hopefully if anything you just saved yourself a bunch of time.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment