Scalp! is a security log analyzer for the Apache log files. It reads the Apache log and perform threat analysis against rulesets provided by PHP-IDS project. It is available for download from GitHub.

Steps to perform threat analysis on Apache log file:

  1. Download Scalp from GitHub.
    $ git clone https://github.com/neuroo/apache-scalp scalp
    Cloning into 'scalp'...
    remote: Enumerating objects: 11, done.
    remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11
    Unpacking objects: 100% (11/11), 11.85 KiB | 346.00 KiB/s, done.
  2. Download signature file from PHPIDS project on GitHub.
    $ git clone https://github.com/PHPIDS/PHPIDS phpids
    Cloning into 'phpids'...
    remote: Enumerating objects: 11281, done.
    remote: Total 11281 (delta 0), reused 0 (delta 0), pack-reused 11281
    Receiving objects: 100% (11281/11281), 4.16 MiB | 2.81 MiB/s, done.
    Resolving deltas: 100% (5636/5636), done.
  3. Split Apache log file if longer than 10000 lines.
    $ split -l 10000  /var/log/apache2/access_log
  4. Analyze Apache log file using Scalp and PHPIDS signature.
    $ sudo python scalp/scalp.py --log /var/log/apache2/access_log --filters phpids/lib/IDS/default_filter.xml
    Password:
    Loading XML file 'phpids/lib/IDS/default_filter.xml'...
    Processing the file '/var/log/apache2/access_log'...
    Scalp results:
    	Processed 1318 lines over 1318
    	Found 6 attack patterns in 0.425544 s
    Generating output in /home/user/access_log_scalp_*

    More options for Scalp:

    Scalp the apache log! by Romain Gaucher - http://rgaucher.info
    usage:  ./scalp.py [--log|-l log_file] [--filters|-f filter_file] [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
                       [--sample|-s 4.2]
       --log       |-l:  the apache log file './access_log' by default
       --filters   |-f:  the filter file     './default_filter.xml' by default
       --exhaustive|-e:  will report all type of attacks detected and not stop
                         at the first found
       --tough     |-u:  try to decode the potential attack vectors (may increase
                         the examination time)
       --period    |-p:  the period must be specified in the same format as in
                         the Apache logs using * as wild-card
                         ex: 04/Apr/2008:15:45;*/Mai/2008
                         if not specified at the end, the max or min are taken
       --html      |-h:  generate an HTML output
       --xml       |-x:  generate an XML output
       --text      |-t:  generate a simple text output (default)
       --except    |-c:  generate a file that contains the non examined logs due to the
                         main regular expression; ill-formed Apache log etc.
       --attack    |-a:  specify the list of attacks to look for
                         list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
                         the list of attacks should not contains spaces and comma separated
                         ex: xss,sqli,lfi,ref
       --ignore-ip|-i:  specify the list of IP Addresses to look exclude
                         the list of IP Addresses should be comma separated and not contain spaces
                         This option can be used in conjunction with --ignore-ip
       --ignore-subnet|-n:  specify the list of Subnets to look exclude
                         the list of Subnets should be comma separated and not contain spaces
                         This option can be used in conjunction with --ignore-subnet
       --output    |-o:  specifying the output directory; by default, scalp will try to write
                         in the same directory as the log file
       --sample    |-s:  use a random sample of the lines, the number (float in [0,100]) is
                         the percentage, ex: --sample 0.1 for 1/1000
  5. Review generated output.
    $ cat /home/user/access_log_scalp_*
    
    #
    # File created by Scalp! by Romain Gaucher - http://code.google.com/p/apache-scalp
    # Apache log attack analysis tool based on PHP-IDS filters
    #
    Scalped file: access_log
    Creation date: Sat-08-Feb-2020
    
    Attack type: files
    Attack Cross-Site Scripting (xss)
    Attack Cross-Site Request Forgery (csrf)
    Attack Spam (spam)
    Attack Local File Inclusion (lfi)
    
    	### Impact 5
    	127.0.0.1 - - [08/Feb/2020:07:31:12 +0800] "GET /windows/start HTTP/1.1" 200 4541
    	Reason: "Detects specific directory and path traversal"
    
    	127.0.0.1 - - [08/Feb/2020:07:31:16 +0800] "GET /windows/burn-iso-image HTTP/1.1" 200 4941
    	Reason: "Detects specific directory and path traversal"
    
    	127.0.0.1 - - [08/Feb/2020:07:31:17 +0800] "GET /_media/windows/burn-iso-image/windows7-burn-iso-explorer-write-to-disc.png?w=400&tok=e21342 HTTP/1.1" 200 16104
    	Reason: "Detects specific directory and path traversal"
    
    	127.0.0.1 - - [08/Feb/2020:07:31:17 +0800] "GET /windows/disable-system-restore HTTP/1.1" 200 4679
    	Reason: "Detects specific directory and path traversal"
    
    	127.0.0.1 - - [08/Feb/2020:07:31:18 +0800] "GET /windows/firewall-command HTTP/1.1" 200 5511
    	Reason: "Detects specific directory and path traversal"
    
    	127.0.0.1 - - [08/Feb/2020:07:31:19 +0800] "GET /windows/restore-mbr HTTP/1.1" 200 5323
    	Reason: "Detects specific directory and path traversal"
    
    Attack SQL Injection (sqli)
    Attack type: format string
    Attack Remote File Execution (rfe)
    Attack Denial Of Service (dos)
    Attack Directory Traversal (dt)
    Attack Information Disclosure (id)
Share this guide!
Discuss the article:

Comment anonymously. Login not required.

Share!