Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi !
I got a webserver log saved in text file and i want to audit to get different answers like different attacks , hacking attacks , scripting attacks , worm attacks etc.
Pls advice me some open soure tool that can help me
I make use of the built in "logwatch" that comes with redhat/centos. It has varying levels of verbosity and can spot some hack attempts and probes. http://www2.logwatch.org:81/
I agree auditing is best done on live requests using the firewall, mod_security, Snort or Prelude and such. You could still run the old log through Logwatch or Webalizer. This won't audit your logs but summarise and group entries which makes it easier to find patterns and the amount of requests. If you post the top 10 different or the 10 most interesting requests here I'm sure we can help finding out what's it about.
yea but i am looking to get hacking attacks , worm attacks from log file. Is there any python script like that . i have searched some but didnt get any one which deteremines the worm and other attacks.
Regards.
Last edited by capricorn80; 02-24-2008 at 10:18 AM.
On second glance Logwatch (domain no longer registered?) does have http 'sploit tests (albeit rudimentary) else maybe try CodeBlue (Sourceforge) which is kinda stale (2003) but it advertises it uses Nikto sigs which is a good thing. Another way, if you confine searches to sites that have or archive mailing lists like SecurityFocus, theaimsgroup, insecure.org and such, could be to use a script to query your favourite searchengine to find clues. Other than that I've no ideas.
I agree auditing is best done on live requests using the firewall, mod_security, Snort or Prelude and such. You could still run the old log through Logwatch or Webalizer. This won't audit your logs but summarise and group entries which makes it easier to find patterns and the amount of requests. If you post the top 10 different or the 10 most interesting requests here I'm sure we can help finding out what's it about.
Mod_security will help a ton here. Mod_security also has this script that converts snort rules into mod_security rules...that way, you can have the application itself looking for the same things Snort would, but at the application level. Logging is also enhanced (on both Snort and mod_security). Just my .02 though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.