Romain Gaucher, a specialist in web security, offers his Scalp tool in version 0.4. The log analyzer searches for attacks on Apache web applications.
Scalp’s Python script uses regular expressions of the PHP Intrusion Detection System (PHPIDS) project that monitors attacks on PHP applications. Methods used include cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection. Because the Apache web server in its standard form does not employ POST request variables, it can detect only GET request attacks.
The tool outputs its results as a report in text, XML or HTML format (here an example).
Scalp can sort its search results by type of attack, as a formatted HTML page.
In its standard form, the script can handle Apache logs of more than 100 megabytes without a problem, according to Gaucher. Limiting the analysis to a timeframe and a particular type of attack can further reduce the search time for large data sets. The program also allows spot checks in large log files.
The tool consists of a single Python script. Users will also need to download a default filter file. Both are available on the project home page.
Romain Gaucher is currently working on a C++ version of his program.
Comments