Wednesday, December 19, 2007

Modsecurity again

Reading through some of my unread modsecurity mailing list emails, I found this tidbit (pretty simple, actually):

egrep '^Message:' modsec_audit.log | sort | uniq -c | sort -rn

I edited it to read: egrep 'message:' audit_log | sort | uniq -c | sort -rn

I see the following after running those commands:


927 mod_security-message: Access denied with code 403. Pattern match "index.php" at REQUEST_URI [id "1005"][rev "2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
728 mod_security-message: Access denied with code 403. Pattern match "cmd.txt" at REQUEST_URI [id "1005"][rev "2"] [msg "cmd.txt usage, suspicious activity"] [severity "ALERT"]
668 mod_security-message: Warning. Pattern match "/robots\\.txt" at THE_REQUEST [severity "EMERGENCY"]
377 mod_security-message: Warning. Pattern match "/*\\.shtml" at THE_REQUEST [severity "EMERGENCY"]
171 mod_security-message: Access denied with code 500. Pattern match "\\?\\?\\?\\?\\?\\?\\?\\?\\?\\?" at THE_REQUEST [severity "EMERGENCY"]
141 mod_security-message: Access denied with code 403. Pattern match "/xmlrpc.php" at REQUEST_URI [id "1003"][rev "2"] [msg "lupper-type attack attempt"] [severity "CRITICAL"]
127 mod_security-message: Warning. Pattern match "/\\?M=D" at THE_REQUEST [severity "EMERGENCY"]
127 mod_security-message: Access denied with code 403. Pattern match "index2.php" at REQUEST_URI [id "1005"][rev "2"] [msg "index2.php usage, suspicious activity"] [severity "ALERT"]
115 mod_security-message: Access denied with code 500. Pattern match "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [severity "EMERGENCY"]
82 mod_security-message: Access denied with code 403. Pattern match "adxmlrpc.php" at REQUEST_URI [id "1004"][rev "2"] [msg "lupper-type attack attempt"] [severity "CRITICAL"]
51 mod_security-message: Access denied with code 403. Pattern match "login.php" at REQUEST_URI [id "1005"][rev "2"] [msg "login.php usage, un-kosher activity"] [severity "ALERT"]
48 mod_security-message: Access denied with code 500. Pattern match "\\." at REQUEST_URI [severity "EMERGENCY"]
29 mod_security-message: Access denied with code 500. Pattern match "\\.\\." at THE_REQUEST [severity "EMERGENCY"]
12 mod_security-message: Access denied with code 500. Error normalising REQUEST_URI: Invalid character detected [0] [severity "EMERGENCY"]
8 mod_security-message: Access denied with code 403. Pattern match "index.php" at POST_PAYLOAD [id "1005"][rev "2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
7 mod_security-message: Access denied with code 500. Pattern match "/calendar" at THE_REQUEST [severity "EMERGENCY"]
5 mod_security-message: Warning. Pattern match "/bash" at THE_REQUEST [severity "EMERGENCY"]
4 mod_security-message: Access denied with code 500. Pattern match "wget\\x20" at REQUEST_URI [severity "EMERGENCY"]
2 mod_security-message: Access denied with code 500. Pattern match "\\?&" at THE_REQUEST [severity "EMERGENCY"]
2 mod_security-message: Access denied with code 500. Pattern match "/root\\.exe" at THE_REQUEST [severity "EMERGENCY"]
1 mod_security-message: Access denied with code 403. Pattern match "/cmd.exe" at REQUEST_URI [id "1002"][rev "2"] [msg "codered/nimda attack attempt"] [severity "ALERT"]


The logs go back to May of 2007.

I did the same for my snort logs:


egrep 'Classification:' alert | sort | uniq -c | sort -rn

14441 [Classification: Misc activity] [Priority: 3]
1892 [Classification: Web Application Attack] [Priority: 1]
1857 [Classification: Attempted Information Leak] [Priority: 2]
1613 [Classification: Misc Attack] [Priority: 2]
1147 [Classification: access to a potentially vulnerable web application] [Priority: 2]
442 [Classification: Executable code was detected] [Priority: 1]
7 [Classification: Potentially Bad Traffic] [Priority: 2]
3 [Classification: Attempted User Privilege Gain] [Priority: 1]
3 [Classification: Attempted Denial of Service] [Priority: 2]
2 [Classification: Detection of a Network Scan] [Priority: 3]
1 [Classification: Attempted Administrator Privilege Gain] [Priority: 1]


This Snort log is 7.4M in size.

Pretty cool, eh? I thought it would be cool to share this!

No comments: