source-git / logwatch

Clone
Source Code
GIT

Blame scripts/services/mod_security2

c8 c8s master
  1.   c8s
  2.   scripts
  3.   services
  4.   mod_security2
Blob History Raw
Packit Bot ea69bd 
#!/usr/bin/perl -w
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd 
# $Id: mod_security2, v 1.0.1 2013/01/11
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd 
#
Packit Bot ea69bd 
# Revision 1.0.1   2013/01/11
Packit Bot ea69bd 
# fixed problem with uninitialized values #6
Packit Bot ea69bd 
#
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd 
# This script is written an maintained by:
Packit Bot ea69bd 
#   Torben Hansen <derhansen@gmail.com>
Packit Bot ea69bd 
#
Packit Bot ea69bd 
# To send comments, suggestions, bugreports, etc, please use:
Packit Bot ea69bd 
#   https://github.com/derhansen/logwatch-modsec2
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd 
# Copyright © 2013 Torben Hansen <derhansen@gmail.com>
Packit Bot ea69bd 
#
Packit Bot ea69bd 
# Permission is hereby granted, free of charge, to any person obtaining a
Packit Bot ea69bd 
# copy of this software and associated documentation files (the
Packit Bot ea69bd 
# “Software”), to deal in the Software without restriction, including
Packit Bot ea69bd 
# without limitation the rights to use, copy, modify, merge, publish,
Packit Bot ea69bd 
# distribute, sublicense, and/or sell copies of the Software, and to
Packit Bot ea69bd 
# permit persons to whom the Software is furnished to do so, subject to
Packit Bot ea69bd 
# the following conditions:
Packit Bot ea69bd 
#
Packit Bot ea69bd 
# The above copyright notice and this permission notice shall be included
Packit Bot ea69bd 
# in all copies or substantial portions of the Software.
Packit Bot ea69bd 
#
Packit Bot ea69bd 
# THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
Packit Bot ea69bd 
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT-
Packit Bot ea69bd 
# ABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
Packit Bot ea69bd 
# EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
Packit Bot ea69bd 
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
Packit Bot ea69bd 
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
Packit Bot ea69bd 
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Packit Bot ea69bd 
#
Packit Bot ea69bd 
##########################################################################
Packit Bot ea69bd
Packit Bot ea69bd 
use Logwatch ':dates';
Packit Bot ea69bd
Packit Bot ea69bd 
# Disable warnings about unused variables
Packit Bot ea69bd 
no warnings qw(once);
Packit Bot ea69bd
Packit Bot ea69bd 
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
Packit Bot ea69bd 
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
Packit Bot ea69bd 
my $SearchDate = TimeFilter('%d/%b/%Y:%H:%M:%S');
Packit Bot ea69bd 
my $within_range = 0;
Packit Bot ea69bd
Packit Bot ea69bd 
my %tmpEntry = ();
Packit Bot ea69bd 
my $count = 0;
Packit Bot ea69bd
Packit Bot ea69bd 
my %messages = ();
Packit Bot ea69bd 
my %topips = ();
Packit Bot ea69bd 
my %toprules = ();
Packit Bot ea69bd
Packit Bot ea69bd 
my $check = 0;
Packit Bot ea69bd 
my $option = '';
Packit Bot ea69bd
Packit Bot ea69bd 
if ( $Debug >= 5 ) {
Packit Bot ea69bd 
    print STDERR "\n\nDEBUG MODE \n\n";
Packit Bot ea69bd 
}
Packit Bot ea69bd
Packit Bot ea69bd 
# Initialize array
Packit Bot ea69bd 
$tmpEntry{$count}{"action"} = "";
Packit Bot ea69bd 
$tmpEntry{$count}{"hostname"} = "";
Packit Bot ea69bd 
$tmpEntry{$count}{"message"} = "";
Packit Bot ea69bd 
$tmpEntry{$count}{"ruleid"} = "";
Packit Bot ea69bd
Packit Bot ea69bd 
while (defined($ThisLine = <STDIN>)) {
Packit Bot ea69bd 
    chomp($ThisLine);
Packit Bot ea69bd
Packit Bot ea69bd 
    # Reset $check if line starts with two dashes
Packit Bot ea69bd 
    if ( $ThisLine =~ /-[A-Z]--/ ) {
Packit Bot ea69bd 
        $check = 0;
Packit Bot ea69bd 
        $option = "";
Packit Bot ea69bd 
    }
Packit Bot ea69bd
Packit Bot ea69bd 
    if ($check == 1) {
Packit Bot ea69bd 
        if ($option eq "audit-log-header") {
Packit Bot ea69bd 
            ($timestamp, $transactionID, $sourceIP, $sourcePort, $destIP, $destPort ) = ($ThisLine =~ /\[(.*?)\] (.*?) (.*?) (.*?) (.*?) (.*?)$/ );
Packit Bot ea69bd
Packit Bot ea69bd 
            $tmpEntry{$count}{"timestamp"} = $timestamp;
Packit Bot ea69bd 
            $tmpEntry{$count}{"sourceIp"} = $sourceIP;
Packit Bot ea69bd 
            $tmpEntry{$count}{"sourcePort"} = $sourcePort;
Packit Bot ea69bd 
            $tmpEntry{$count}{"destIp"} = $destIP;
Packit Bot ea69bd 
            $tmpEntry{$count}{"destPort"} = $destPort;
Packit Bot ea69bd
Packit Bot ea69bd 
            if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                print STDERR "\n";
Packit Bot ea69bd 
                print STDERR "DATE: " . $timestamp . "\n";
Packit Bot ea69bd 
                print STDERR "FROM: ". $sourceIP . ":" . $sourcePort . "\n";
Packit Bot ea69bd 
                print STDERR "TO: ". $destIP . ":" . $destPort . "\n";
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
        }
Packit Bot ea69bd
Packit Bot ea69bd 
        if ($option eq "request-header") {
Packit Bot ea69bd 
            if ( ($method, $requestUri) = ($ThisLine =~ /^(POST|GET) (.*?)$/) ) {
Packit Bot ea69bd 
                $tmpEntry{$count}{"method"} = $method;
Packit Bot ea69bd 
                $tmpEntry{$count}{"uri"} = $requestUri;
Packit Bot ea69bd
Packit Bot ea69bd 
                if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                    print STDERR "METHOD: " . $method . "\n";
Packit Bot ea69bd 
                    print STDERR "URI: " . $requestUri . "\n";
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
            elsif ( ($hostname) = ($ThisLine =~ /^Host: (.*?)$/) ) {
Packit Bot ea69bd 
                $tmpEntry{$count}{"hostname"} = $hostname;
Packit Bot ea69bd
Packit Bot ea69bd 
                if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                    print STDERR "HOST: " . $hostname . "\n";
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
        }
Packit Bot ea69bd 
        if ($option eq "audit-log-trailer") {
Packit Bot ea69bd 
            if ( $ThisLine =~ /^Message:/ ) {
Packit Bot ea69bd 
                if ( ($ruleId) = ($ThisLine =~ /\[id \"(.*?)\"\]/) ) {
Packit Bot ea69bd 
                    if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                        print STDERR "Rule ID: " . $ruleId. "\n";
Packit Bot ea69bd 
                    }
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
                if ( ($msg) = ($ThisLine =~ /\[msg \"(.*?)\"\]/) ) {
Packit Bot ea69bd 
                    if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                        print STDERR "Message: " . $msg. "\n";
Packit Bot ea69bd 
                    }
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
                $tmpEntry{$count}{"ruleid"} = $ruleId;
Packit Bot ea69bd 
                $tmpEntry{$count}{"message"} = $msg;
Packit Bot ea69bd 
            }
Packit Bot ea69bd
Packit Bot ea69bd 
            if ( ($action) = ($ThisLine =~ /^Action: (.*?)$/) ) {
Packit Bot ea69bd 
                $tmpEntry{$count}{"action"} = $action;
Packit Bot ea69bd 
                if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                    print STDERR "Action: " . $action. "\n";
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
            if ( ($engineMode) = ($ThisLine =~ /^Engine-Mode: (.*?)$/) ) {
Packit Bot ea69bd 
                $tmpEntry{$count}{"engine"} = $engineMode;
Packit Bot ea69bd 
                if ( $Debug >= 5 ) {
Packit Bot ea69bd 
                    print STDERR "Engine mode: " . $engineMode. "\n";
Packit Bot ea69bd 
                }
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
        }
Packit Bot ea69bd 
    }
Packit Bot ea69bd
Packit Bot ea69bd 
    if ( $ThisLine =~ /-A--/ ) {
Packit Bot ea69bd 
        $check = 1;
Packit Bot ea69bd 
        $option = "audit-log-header";
Packit Bot ea69bd 
    }
Packit Bot ea69bd 
    elsif ( $ThisLine =~ /-B--/ ) {
Packit Bot ea69bd 
        $check = 1;
Packit Bot ea69bd 
        $option = "request-header";
Packit Bot ea69bd 
    }
Packit Bot ea69bd 
    elsif ( $ThisLine =~ /-H--/ ) {
Packit Bot ea69bd 
        $check = 1;
Packit Bot ea69bd 
        $option = "audit-log-trailer";
Packit Bot ea69bd 
    }
Packit Bot ea69bd 
    elsif ( $ThisLine =~ /-Z--/ ) {
Packit Bot ea69bd 
        $check = 0;
Packit Bot ea69bd 
        $option = "";
Packit Bot ea69bd
Packit Bot ea69bd 
        # Create new summary entry if date matches searchdate
Packit Bot ea69bd 
        if ( $tmpEntry{$count}{"timestamp"} =~ /$SearchDate/ ) {
Packit Bot ea69bd 
            if (  $tmpEntry{$count}{"action"} ne "" && $tmpEntry{$count}{"hostname"} ne "" && $tmpEntry{$count}{"message"} ne "" && $tmpEntry{$count}{"ruleid"} ne "" ) {
Packit Bot ea69bd 
                $messages{$tmpEntry{$count}{"hostname"}}{"numAttacks"}++;
Packit Bot ea69bd 
                $messages{$tmpEntry{$count}{"hostname"}}{"attack"}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}} =  $tmpEntry{$count}{"message"};
Packit Bot ea69bd 
                $messages{$tmpEntry{$count}{"hostname"}}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}}++;
Packit Bot ea69bd
Packit Bot ea69bd 
                $topips{$tmpEntry{$count}{"sourceIp"}}++;
Packit Bot ea69bd 
                $toprules{$tmpEntry{$count}{"ruleid"}}++;
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
        }
Packit Bot ea69bd
Packit Bot ea69bd 
        # Increase counter
Packit Bot ea69bd 
        $count++;
Packit Bot ea69bd
Packit Bot ea69bd 
        # Reset values
Packit Bot ea69bd 
        $tmpEntry = ();
Packit Bot ea69bd 
        $tmpEntry{$count}{"action"} = "";
Packit Bot ea69bd 
        $tmpEntry{$count}{"hostname"} = "";
Packit Bot ea69bd 
        $tmpEntry{$count}{"message"} = "";
Packit Bot ea69bd 
        $tmpEntry{$count}{"ruleid"} = "";
Packit Bot ea69bd
Packit Bot ea69bd 
        if ( $Debug >= 5 ) {
Packit Bot ea69bd 
            print STDERR "---------------------------------------\n";
Packit Bot ea69bd 
        }
Packit Bot ea69bd 
    }
Packit Bot ea69bd 
}
Packit Bot ea69bd
Packit Bot ea69bd 
# Start summary
Packit Bot ea69bd 
if (keys %messages) {
Packit Bot ea69bd 
   print "\nATTACKS BLOCKED ON VHOSTS:\n";
Packit Bot ea69bd 
   foreach my $vhost ( sort {$a cmp $b} keys %messages ) {
Packit Bot ea69bd 
        print "\n" . $vhost . " - " . $messages{$vhost}{"numAttacks"} . " time(s)\n";
Packit Bot ea69bd
Packit Bot ea69bd 
        foreach my $fromip (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}}) {
Packit Bot ea69bd 
            foreach my $ruleid (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}{$fromip}}) {
Packit Bot ea69bd 
                print "  [ip: " . sprintf("%-15s", $fromip) . "] ";
Packit Bot ea69bd 
                print "[id: " . $ruleid . " ] [msg: " . $messages{$vhost}{"attack"}{$fromip}{$ruleid} . "] ";
Packit Bot ea69bd 
                print " - " . $messages{$vhost}{$fromip}{$ruleid} . " time(s)\n";
Packit Bot ea69bd 
            }
Packit Bot ea69bd 
        }
Packit Bot ea69bd
Packit Bot ea69bd 
   }
Packit Bot ea69bd 
}
Packit Bot ea69bd
Packit Bot ea69bd 
# Top 10 blocked IPs
Packit Bot ea69bd 
if (keys %topips) {
Packit Bot ea69bd 
   print "\nTOP 10 BLOCKED IPS:\n";
Packit Bot ea69bd 
   my $cnt = 0;
Packit Bot ea69bd 
   foreach my $ip ( sort {$topips{$b} <=> $topips{$a}} keys %topips ) {
Packit Bot ea69bd 
        print "\n  " . sprintf("%2s", ($cnt + 1)) . ". " . $ip . " - " . $topips{$ip} . " time(s)";
Packit Bot ea69bd 
        $cnt++;
Packit Bot ea69bd 
        if($cnt == 10) { last(); }
Packit Bot ea69bd 
   }
Packit Bot ea69bd 
   print "\n";
Packit Bot ea69bd 
}
Packit Bot ea69bd
Packit Bot ea69bd 
exit(0)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation