Giter Site home page Giter Site logo

modsecurity-parser's Introduction

modsecurity audit log parser, analyser and chart maker

TL;DR

Get the overview of security incidents reported by modsecurity module from modsec_audit.log file.

2019.04.17 update

  • added support for Modsecurity3 log (Nginx/Apache)
  • added feature to read Modsecurity log in JSON format

Description

modsecurity parser is a python program to read modsecurity.org modsec_audit.log , tranform read events into more human and machine readable formats (xlsx/json) and make basic charts.

Functionality list:

  • JSON output file with formatting conformed to JSON logging added into Modsecurity 2.9
  • XLSX output file which can be analysed further with desktop tools
  • PNG file with some basic charts - Timeline nonblocked vs intercepted events, TOP10 IP source address, TOP20 Rule IDs hit, TOP10 Attacks intercepted

    • Graph analysis examples



    Installation

    Software needs at least Python 3.5.2 with additional libraries:

  • Pandas 0.22
  • Pillow
  • matplotlib 2.1.2
  • numpy 1.13.1
  • openpyxl 2.4.0

    • Basic usage

    python3 modsecurity-parser.py -f /home/user/logs/modsec_audit.log

    for that case results will be recorded into subdirectory "modsec_output" where the log to analyse is placed.

    More options

    python3 modsecurity-parser.py -h

    Filters INCLUDE and EXCLUDE are available for IP source addresses.

    --exclude option ( e.g. "--exclude 192.168.0.1 10.0.0.1") just skips events with given IP source addresses

    --include (e.g. "--include 10.0.5.6") take precedense over EXLUDE. INCLUDE process only events with given IP source addresses.

    --jsononeperline - option recommended for big number of events where e.g. produced JSON is supposed to be read by other SIEM tool. Uses the very same format as modsecurity software when type of logging is set to "JSON".

    Processing Modsecurity3 log

    --version3 (e.g. "modsecurity-parser.py -f modsec_audit.log --version3"

    Processing Modsecurity log in JSON format:

    --jsonaudit (e.g. "modsecurity-parser.py -f modsec_audit.log --jsonaudit"

    Limitations:

  • The biggest tested modsec_audit.log was 1GB size with around 70000 records. It took more or less 5 minutes on 8years old workstation and memory usage temporarily raised to 2GB of RAM.
  • modsec_audit.log were taken from Apache web servers with locale set to en-US. Software can except some errors if datatime format is different in the audited log. Adjust LOG_TIMESTAMP_FORMAT and LOG_TIMESTAMP_FORMAT_SHORT accordingly
  • To process more than 90000 events just adjust MAXEVENTS
  • Tested with modsec_audit.log from version 2.8/2.9/3.0. Anyway Modsecurity3 for some cases produces empty sectionH and not all information is available to be properly presented in all graphs

    • run via Docker

    Create a subfolder (e.g. "modseclogs") and put into some modsecurity audit logs (by default modsec_audit.log name is processed only). Output files will be created inside of ${subfolder}/modsec_output

    Run command

    docker run --rm -ti --mount type=bind,source="$(pwd)"/modseclogs,target=/opt/mounted molu8bits/modsecurity-parser:0.2

    Get some more docker options:

    docker run --rm -ti -e HELP=Yes molu8bits/modsecurity-parser:0.2

    TODO Update Docker image to version 0.2

    modsecurity-parser's People

    Contributors

    molu8bits avatar

    Watchers

    avatar

    Recommend Projects

    • React photo React

      A declarative, efficient, and flexible JavaScript library for building user interfaces.

    • Vue.js photo Vue.js

      ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

    • Typescript photo Typescript

      TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

    • TensorFlow photo TensorFlow

      An Open Source Machine Learning Framework for Everyone

    • Django photo Django

      The Web framework for perfectionists with deadlines.

    • D3 photo D3

      Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

    Recommend Topics

    • javascript

      JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

    • web

      Some thing interesting about web. New door for the world.

    • server

      A server is a program made to process requests and deliver data to clients.

    • Machine learning

      Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

    • Game

      Some thing interesting about game, make everyone happy.

    Recommend Org

    • Facebook photo Facebook

      We are working to build community through open source technology. NB: members must have two-factor auth.

    • Microsoft photo Microsoft

      Open source projects and samples from Microsoft.

    • Google photo Google

      Google โค๏ธ Open Source for everyone.

    • D3 photo D3

      Data-Driven Documents codes.