[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] httpd log analyzer
- Subject: RE: [cobalt-security] httpd log analyzer
- From: "Rob Moore" <rob.moore@xxxxxxxxxxxxxxx>
- Date: Wed, 28 Nov 2001 01:21:10 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Gerald
I took a look at logcheck.sh, and attempted to add in /var/log/httpd/access
file for analysis. Without entering anything in any of the ignore files I
would
have expected logcheck to add the complete log of last 15 minutes.
Instead it appended the entire (>11mb) access log file to the email message,
stretching back a few days. This isnt the behaviour I would expect, I can
only
guess that it could be something to do with the date format or position on
the line?
For completeness I've added a part of the logs below, all of the
/var/log/xxx files
seem to follow the same format with the date /time being at the start of the
line.
Am I barking up the wrong tree and being daft? Is there something that I
have missed?
Ideally, I'd like to scan through the httpd access log and pick out certain
strings
like "cmd.exe" "default.ida", etc. and throw them back, whilst ignoring all
the legitimate
GET and POST entries.
Any help greatly appreciated.
Thanks
Rob
/var/log/messages:-
Nov 28 00:03:45 myserver kernel: Packet log: input DENY eth0 PROTO=17
xxx.xxx.xxx.xxx:137 xxx.xxx.xxx.255:137 L=78 S=0x00 I=7322 F=0x0000 T=64
(#28)
Nov 28 00:03:45 myserver kernel: Packet log: input DENY eth0 PROTO=17
xxx.xxx.xxx.xxx:138 xxx.xxx.xxx.255:138 L=211 S=0x00 I=7323 F=0x0000 T=64
(#28)
Nov 28 00:08:45 myserver kernel: Packet log: input DENY eth0 PROTO=17
xxx.xxx.xxx.xxx:137 xxx.xxx.xxx.255:137 L=78 S=0x00 I=7324 F=0x0000 T=64
(#28)
/var/log/httpd/access
myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:22 +0000] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253 "-" "-"
myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:23 +0000] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 235 "-" "-"
myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:23 +0000] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253 "-" "-"
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Rob Moore
Sent: 22 November 2001 11:07
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] httpd log analyzer
>> You can configure logcheck to do this.
oops, I should rtfm then! Cheers Gerald!
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Gerald Waugh
Sent: 22 November 2001 10:45
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] httpd log analyzer
> Now, my question: has anyone seen anything like this to monitor the apache
> httpd log files (/var/log/httpd/...) to report any violations, eg. code
red
> scans, etc. and email the
> results? It should not alter the log files in any way as that would affect
> the webalizer
> splitting, etc.
>
You can configure logcheck to do this.
edit /usr/local/etc/logcheck.sh and configure
to do what ever you desire.
Gerald
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security