|
Packit |
284210 |
#!@PERL@
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
# ModSecurity for Apache 2.x, http://www.modsecurity.org/
|
|
Packit |
284210 |
# Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
# You may not use this file except in compliance with
|
|
Packit |
284210 |
# the License. You may obtain a copy of the License at
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
# http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
284210 |
#
|
|
Packit |
284210 |
# If any of the files related to licensing are missing or if you have any
|
|
Packit |
284210 |
# other questions related to licensing please contact Trustwave Holdings, Inc.
|
|
Packit |
284210 |
# directly using the email address security@modsecurity.org.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
use strict;
|
|
Packit |
284210 |
use File::Find qw(find);
|
|
Packit |
284210 |
use File::Spec::Functions qw(catfile);
|
|
Packit |
284210 |
use Sys::Hostname qw(hostname);
|
|
Packit |
284210 |
use Digest::MD5 qw(md5_hex);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
my $ROOTDIR = $ARGV[0] || '';
|
|
Packit |
284210 |
my $MLOGC = $ARGV[1] || '';
|
|
Packit |
284210 |
my $MLOGCCONF = $ARGV[2] || '';
|
|
Packit |
284210 |
my @AUDIT = ();
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if ($ROOTDIR eq '' or ! -e $MLOGC or ! -e $MLOGCCONF) {
|
|
Packit |
284210 |
printf STDERR "\nUsage: $0 <rootdir> </path/to/mlogc> <mlogc_config>\n\n";
|
|
Packit |
284210 |
exit 1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
open(MLOGC, "|$MLOGC -f $MLOGCCONF") or die "ERROR: could not open '$MLOGC' - $!\n";
|
|
Packit |
284210 |
|
|
Packit |
284210 |
find(
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
wanted => sub {
|
|
Packit |
284210 |
my($fn,$dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
|
|
Packit |
284210 |
-f _ &&
|
|
Packit |
284210 |
#### MODSEC-204 /^\d{8}-\d+-\w{24}$/s
|
|
Packit |
284210 |
/^\d{8}-\d+-.{24,}$/s
|
|
Packit |
284210 |
&& (($fn = $File::Find::name) =~ s/^\Q$ROOTDIR\E//)
|
|
Packit |
284210 |
&& push(@AUDIT, [$fn, $size]);
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
follow => 1,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
$ROOTDIR
|
|
Packit |
284210 |
);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for my $audit (@AUDIT) {
|
|
Packit |
284210 |
my $fn = $audit->[0];
|
|
Packit |
284210 |
my $line = "";
|
|
Packit |
284210 |
my $err = 0;
|
|
Packit |
284210 |
my $ln = 0;
|
|
Packit |
284210 |
my $sln = 0;
|
|
Packit |
284210 |
my $sect = "";
|
|
Packit |
284210 |
my $data = "";
|
|
Packit |
284210 |
my %data = (
|
|
Packit |
284210 |
hostname => hostname(),
|
|
Packit |
284210 |
remote_addr => "-",
|
|
Packit |
284210 |
remote_user => "-",
|
|
Packit |
284210 |
local_user => "-",
|
|
Packit |
284210 |
logtime => "-",
|
|
Packit |
284210 |
request => "-",
|
|
Packit |
284210 |
response_status => "-",
|
|
Packit |
284210 |
bytes_sent => "-",
|
|
Packit |
284210 |
referer => "-",
|
|
Packit |
284210 |
user_agent => "-",
|
|
Packit |
284210 |
uniqueid => "-",
|
|
Packit |
284210 |
sessionid => "-",
|
|
Packit |
284210 |
audit_file => $fn,
|
|
Packit |
284210 |
extra => "0",
|
|
Packit |
284210 |
audit_size => $audit->[1],
|
|
Packit |
284210 |
md5 => "-",
|
|
Packit |
284210 |
);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
### Parse the audit file in an attempt to recreate the original log line
|
|
Packit |
284210 |
open (AUDIT, "<".catfile($ROOTDIR,$fn)) or $err = 1;
|
|
Packit |
284210 |
if ($err == 1) {
|
|
Packit |
284210 |
print STDERR "ERROR: could not open '$fn' - $!\n";
|
|
Packit |
284210 |
next;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
while($line = <AUDIT>) {
|
|
Packit |
284210 |
$data .= $line;
|
|
Packit |
284210 |
chop $line;
|
|
Packit |
284210 |
$ln++;
|
|
Packit |
284210 |
$sln++;
|
|
Packit |
284210 |
if ($line =~ m%^--[0-9A-Fa-f]{8}-([A-Z])--$%) {
|
|
Packit |
284210 |
$sect = $1;
|
|
Packit |
284210 |
$sln = 0;
|
|
Packit |
284210 |
next;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
if ($sect eq 'A') {
|
|
Packit |
284210 |
if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
|
|
Packit |
284210 |
$data{logtime} = $1;
|
|
Packit |
284210 |
$data{uniqueid} = $2;
|
|
Packit |
284210 |
$data{remote_addr} = $3;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
next;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
elsif ($sect eq 'B') {
|
|
Packit |
284210 |
if ($sln == 1) {
|
|
Packit |
284210 |
$data{request} = $line;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
elsif ($line =~ m%^User=Agent: (.*)%i) {
|
|
Packit |
284210 |
$data{user_agent} = $1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
elsif ($line =~ m%^Referer: (.*)%i) {
|
|
Packit |
284210 |
$data{referer} = $1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
next;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
elsif ($sect eq 'F') {
|
|
Packit |
284210 |
if ($sln == 1 and $line =~ m%^\S+ (\d{3})\D?.*%) {
|
|
Packit |
284210 |
$data{response_status} = $1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
elsif ($line =~ m%^Content-Length: (\d+)%i) {
|
|
Packit |
284210 |
$data{bytes_sent} = $1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
next;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
$data{md5} = md5_hex($data);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
printf MLOGC (
|
|
Packit |
284210 |
"%s %s %s %s %s \"%s\" %s %s \"%s\" \"%s\" %s \"%s\" %s %s %s md5:%s\n",
|
|
Packit |
284210 |
$data{hostname},
|
|
Packit |
284210 |
$data{remote_addr},
|
|
Packit |
284210 |
$data{remote_user},
|
|
Packit |
284210 |
$data{local_user},
|
|
Packit |
284210 |
$data{logtime},
|
|
Packit |
284210 |
$data{request},
|
|
Packit |
284210 |
$data{response_status},
|
|
Packit |
284210 |
$data{bytes_sent},
|
|
Packit |
284210 |
$data{referer},
|
|
Packit |
284210 |
$data{user_agent},
|
|
Packit |
284210 |
$data{uniqueid},
|
|
Packit |
284210 |
$data{sessionid},
|
|
Packit |
284210 |
$data{audit_file},
|
|
Packit |
284210 |
$data{extra},
|
|
Packit |
284210 |
$data{audit_size},
|
|
Packit |
284210 |
$data{md5},
|
|
Packit |
284210 |
);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|