github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity
ModSecurity/mlogc/mlogc-batch-load.pl.in
Elia Pinto b3ce3da2fc mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir files with Apache 2.4 
Setting SecAuditLogType concurrent the files created by modsecurity in the directory SecAuditLogStorageDir
are of the type

%Y%m%d-%H%M%S-UNIQUE_ID

where UNIQUE_ID is produced by the module mod_unique_id. In apache 2.2
UNIQUE_ID was 24 characters long while in apache 2.4 is 27 characters long,
as a result of the new version of mod_unique_id. This patch extends
the regular expression for searching these  log files for apache 2.4 and apache 2.2,
and also with future releases, at least with regard to the length of UNIQUE_ID

Signed-off-by: Elia Pinto <elia.pinto@gmail.com>
2016-01-04 14:57:43 -03:00

148 lines
3.3 KiB
Perl
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!@PERL@
#
# ModSecurity for Apache 2.x, http://www.modsecurity.org/
# Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
#
# You may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# If any of the files related to licensing are missing or if you have any
# other questions related to licensing please contact Trustwave Holdings, Inc.
# directly using the email address security@modsecurity.org.
use strict;
use File::Find qw(find);
use File::Spec::Functions qw(catfile);
use Sys::Hostname qw(hostname);
use Digest::MD5 qw(md5_hex);
my $ROOTDIR = $ARGV[0] || '';
my $MLOGC = $ARGV[1] || '';
my $MLOGCCONF = $ARGV[2] || '';
my @AUDIT = ();
if ($ROOTDIR eq '' or ! -e $MLOGC or ! -e $MLOGCCONF) {
printf STDERR "\nUsage: $0 <rootdir> </path/to/mlogc> <mlogc_config>\n\n";
exit 1;
}
open(MLOGC, "|$MLOGC -f $MLOGCCONF") or die "ERROR: could not open '$MLOGC' - $!\n";
find(
{
wanted => sub {
my($fn,$dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size);
(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
-f _ &&
#### MODSEC-204 /^\d{8}-\d+-\w{24}$/s
/^\d{8}-\d+-.{24,}$/s
&& (($fn = $File::Find::name) =~ s/^\Q$ROOTDIR\E//)
&& push(@AUDIT, [$fn, $size]);
},
follow => 1,
},
$ROOTDIR
);
for my $audit (@AUDIT) {
my $fn = $audit->[0];
my $line = "";
my $err = 0;
my $ln = 0;
my $sln = 0;
my $sect = "";
my $data = "";
my %data = (
hostname => hostname(),
remote_addr => "-",
remote_user => "-",
local_user => "-",
logtime => "-",
request => "-",
response_status => "-",
bytes_sent => "-",
referer => "-",
user_agent => "-",
uniqueid => "-",
sessionid => "-",
audit_file => $fn,
extra => "0",
audit_size => $audit->[1],
md5 => "-",
);
### Parse the audit file in an attempt to recreate the original log line
open (AUDIT, "<".catfile($ROOTDIR,$fn)) or $err = 1;
if ($err == 1) {
print STDERR "ERROR: could not open '$fn' - $!\n";
next;
}
while($line = <AUDIT>) {
$data .= $line;
chop $line;
$ln++;
$sln++;
if ($line =~ m%^--[0-9A-Fa-f]{8}-([A-Z])--$%) {
$sect = $1;
$sln = 0;
next;
};
if ($sect eq 'A') {
if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
$data{logtime} = $1;
$data{uniqueid} = $2;
$data{remote_addr} = $3;
}
next;
}
elsif ($sect eq 'B') {
if ($sln == 1) {
$data{request} = $line;
}
elsif ($line =~ m%^User=Agent: (.*)%i) {
$data{user_agent} = $1;
}
elsif ($line =~ m%^Referer: (.*)%i) {
$data{referer} = $1;
}
next;
}
elsif ($sect eq 'F') {
if ($sln == 1 and $line =~ m%^\S+ (\d{3})\D?.*%) {
$data{response_status} = $1;
}
elsif ($line =~ m%^Content-Length: (\d+)%i) {
$data{bytes_sent} = $1;
}
next;
}
}
$data{md5} = md5_hex($data);
printf MLOGC (
"%s %s %s %s %s \"%s\" %s %s \"%s\" \"%s\" %s \"%s\" %s %s %s md5:%s\n",
$data{hostname},
$data{remote_addr},
$data{remote_user},
$data{local_user},
$data{logtime},
$data{request},
$data{response_status},
$data{bytes_sent},
$data{referer},
$data{user_agent},
$data{uniqueid},
$data{sessionid},
$data{audit_file},
$data{extra},
$data{audit_size},
$data{md5},
);
}
Reference in New Issue View Git Blame Copy Permalink