Hi,
I am trying to make a shell script that will parse lines off error_log of Apache and parse IPs off of it.
The lines I need to parse are security warnings made by ModSecurity.
Example:
[Fri Feb 22 22:18:46 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:Referer. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "www.ppktj.org"] [uri "/component/option,com_frontpage/Itemid,1/"] [unique_id "D-CJRELFlREAAHasAoAAAAAB"]
[Fri Feb 22 22:19:38 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=6"] [unique_id "EwelkULFlREAAG6PLmsAAAAA"]
[Fri Feb 22 22:19:43 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=17"] [unique_id "E0hda0LFlREAAG6PLm0AAAAA"]
[Fri Feb 22 22:20:06 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=edit;id=11"] [unique_id "FLCd20LFlREAAGGyk-0AAAAO"]
[Fri Feb 22 22:22:29 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=2"] [unique_id "HTTHB0LFlREAABomVsEAAAAE"]
[Fri Feb 22 22:22:29 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=2"] [unique_id "HTmshULFlREAAG6PLnwAAAAA"]
[Fri Feb 22 22:26:30 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=11"] [unique_id "K5AlAkLFlREAAF-cX2gAAAAJ"]
[Fri Feb 22 22:27:38 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=11"] [unique_id "L5mzvkLFlREAAG6PLoEAAAAA"]
[Fri Feb 22 22:27:39 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=11"] [unique_id "L60fpkLFlREAAG6PLoIAAAAA"]
[Fri Feb 22 22:27:39 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=11"] [unique_id "L7QDekLFlREAAGGzlJsAAAAP"]
[Fri Feb 22 22:34:18 2008] [error] [client 111.222.11.22] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:action. [id "950006"] [msg "System Command Injection. Matched signature <;id>"] [severity "CRITICAL"] [hostname "deleted"] [uri "/index.php?option=com_smf&Itemid=2&action=gallery;sa=view;id=11"] [unique_id "R32E8ELFlREAAF-cX94AAAAJ"]As far as I know, I need to cat, grep and use awk/sed to parse out the IP.
Then just put >> filename to put the IPs in to a list so CSF can load a block list off of it.
Basically, steps that this shell script would do:
1. Check if IP list exists or not.
2.A If file exists, rm -rf
2.B If file doesn't exist, continue to 3
3. Make list of IPs
(cat /usr/local/apache/logs/error_log|grep "Access denied with code 406"|awk (I'm not sure...) >> /etc/blocklist
4. Load IPList on to blocklist
5. Make CSF read the blocklist
Could you help me make part 3?
I'm not really sure on that part.
Thanks