LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-21-2008, 12:26 PM   #1
capricorn80
Member
 
Registered: Jun 2006
Distribution: CentOS
Posts: 152

Rep: Reputation: 15
log file auditing


Hi !
I got a webserver log saved in text file and i want to audit to get different answers like different attacks , hacking attacks , scripting attacks , worm attacks etc.
Pls advice me some open soure tool that can help me

Regards
 
Old 02-21-2008, 03:17 PM   #2
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
I make use of the built in "logwatch" that comes with redhat/centos. It has varying levels of verbosity and can spot some hack attempts and probes.
http://www2.logwatch.org:81/
 
Old 02-22-2008, 10:38 AM   #3
capricorn80
Member
 
Registered: Jun 2006
Distribution: CentOS
Posts: 152

Original Poster
Rep: Reputation: 15
I tried it but it didnt give me help in customize way. As i am just looking to have scan on one log file containing webserver log.
 
Old 02-22-2008, 11:00 AM   #4
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
I think the detecting intrusion attempts would be better suited for something like snort rather than a log analyzer.
 
Old 02-23-2008, 09:22 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
I agree auditing is best done on live requests using the firewall, mod_security, Snort or Prelude and such. You could still run the old log through Logwatch or Webalizer. This won't audit your logs but summarise and group entries which makes it easier to find patterns and the amount of requests. If you post the top 10 different or the 10 most interesting requests here I'm sure we can help finding out what's it about.

Last edited by unSpawn; 02-24-2008 at 12:06 PM.
 
Old 02-24-2008, 08:46 AM   #6
capricorn80
Member
 
Registered: Jun 2006
Distribution: CentOS
Posts: 152

Original Poster
Rep: Reputation: 15
yea but i am looking to get hacking attacks , worm attacks from log file. Is there any python script like that . i have searched some but didnt get any one which deteremines the worm and other attacks.

Regards.

Last edited by capricorn80; 02-24-2008 at 11:18 AM.
 
Old 02-24-2008, 07:32 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
On second glance Logwatch (domain no longer registered?) does have http 'sploit tests (albeit rudimentary) else maybe try CodeBlue (Sourceforge) which is kinda stale (2003) but it advertises it uses Nikto sigs which is a good thing. Another way, if you confine searches to sites that have or archive mailing lists like SecurityFocus, theaimsgroup, insecure.org and such, could be to use a script to query your favourite searchengine to find clues. Other than that I've no ideas.
 
Old 02-27-2008, 08:35 AM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by unSpawn View Post
I agree auditing is best done on live requests using the firewall, mod_security, Snort or Prelude and such. You could still run the old log through Logwatch or Webalizer. This won't audit your logs but summarise and group entries which makes it easier to find patterns and the amount of requests. If you post the top 10 different or the 10 most interesting requests here I'm sure we can help finding out what's it about.
Mod_security will help a ton here. Mod_security also has this script that converts snort rules into mod_security rules...that way, you can have the application itself looking for the same things Snort would, but at the application level. Logging is also enhanced (on both Snort and mod_security). Just my .02 though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
log file auditing capricorn80 Ubuntu 1 02-21-2008 01:35 PM
LXer: Use auditing to track reads and writes in a file LXer Syndicated Linux News 0 08-12-2007 11:30 AM
LXer: Use auditing to track reads and writes in a file LXer Syndicated Linux News 0 08-12-2007 02:02 AM
any ideas to reduce log file size or make log file size managed? George2 Programming 2 08-13-2006 07:55 AM
File Auditing Software earlybird_66 Linux - Software 0 10-13-2004 03:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration