ModSecurity log parser

Transforms the ModSecurity error logs (web server portion) into a meaningful information given a context.

This solution was initially made to verify the correctness of the ModSecurity version 3 when compared to ModSecurity version 2. But it also has great value for ModSecurity users in general, that wants to categorize and have a pretty print view of their logs.

How to Install

This set of scripts does not demands installation, proced with the code download followed by the execution. You should be able to run out-of-the-box.

Python will let you know if there is a missing dependency.

How to use it

This is a set of scripts that can be used to parse and compare ModSecurity logs. The scripts are listed below.

modsec-log-parser.py

This script reads the webserver error log and summarize the ModSecurity messages in the output. Here is an example of the output:

$ ./modsec-log-parser.py --summary="uri,id,msg" /var/log/apache2/error.log
/mpcgi/book.cgi 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 20 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=10,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found
/mpcgi/book.cgi 913100 Found User-Agent associated with security scanner
/mpcgi/book.cgi 932160 Remote Command Execution: Unix Shell Code Found
/mpcgi/book.cgi 930120 OS File Access Attempt
/mpcgi/book.cgi 949110 Inbound Anomaly Score Exceeded (Total Score: 20)
/mpcgi/book.cgi 932100 Remote Command Execution: Unix Command Injection

modsec-log-compare.py

You can use this scripts to compare the output of two files generated by the modsec-log-parser.py.

$ ./modsec-log-compare.py nginx.txt apache.txt

*** diff at: /search.asp

In: nginx.txt
 - 913100 Found User-Agent associated with security scanner
 - 920270 Invalid character in request (null character)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 13)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 5)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 13 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Invalid character in request (null character)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner
 
In: apache.txt
 - 913100 Found User-Agent associated with security scanner
 - 920270 Invalid character in request (null character)
 - 941100 XSS Attack Detected via libinjection
 - 941110 XSS Filter - Category 1: Script Tag Vector
 - 941160 NoScript XSS InjectionChecker: HTML Injection
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 28)
 - 949110 Inbound Anomaly Score Exceeded (Total Score: 5)
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 28 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection
 - 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner

Notice: The first entry will be used as a comparison key.

Alternatives and similar

• https://github.com/Apache-Labor/labor/blob/master/bin/modsec-rulereport.rb
• https://github.com/Ixolit/modsecparser