By Romain Tuesday, September 16 2008 - 18:27 UTC - Tech - Permalink
Some time ago, I released a first version of a tool named Scalp. The tool analyzed the Apache HTTPD logs in order to examine if there were attacks or not. The attack detection is based on the rules provided by the PHP-IDS project.
Today, I took time to finalize a bit more the Python version of Scalp. The version 0.4 can now be downloaded on the project web page.
This version includes a couple of features such as:
And then, with some other options that already existed in the previous versions,
the tool seems to approach a final version.
I won't add more into it since I want to keep it simple and quite fast (I may add optimization if I find some). Also, the C++ version is on its way and mostly done with same amount of options, the code is checkable using the google repository, but I still have to work on options and time-frame specification.
Scalp 0.4:
Comments
Thank you, I was searching a tool like that for ages. Any suggestions for other must-have security tools ?
Is it for only access, error or combined apache log ?
The parsing regexp is only calibrated for the access_log; I must have put that somewhere on the website :)
But the thing is that this tool is only focused on application-level attacks (XSS, SQL Injection etc.) and therefore, must been checked at first in the access_log.
If you wanna retrieve what some user did, such as tried to retrieve some path etc. you may look at the error_log, but I really think it doesn't worth it much.
Got problem when I run the script on Windows:
File "scalp-0.4.py", line 328
with open(access,r) as log_file:
............^
SyntaxError: invalid syntax
Wahyudi: Yeah, for now, the script is only for python >= 2.5. This is partially discussed here:
http://code.google.com/p/apache-sca...