C o d e R e d Stats script

From: Jason Brvenik (jason@brvenik.com)
Date: 08/10/01 

Message-ID: <3B7369D9.1B8A2D9D@brvenik.com>
Date: Fri, 10 Aug 2001 00:58:02 -0400
From: Jason Brvenik <jason@brvenik.com>
To: incidents@securityfocus.com
Subject: C  o  d  e  R  e  d Stats script

Hi all,

  I am sure that many of you have done this already but I haven't seen
the like posted so here it is. Yeah, too late and too short but I still
see probes every 3 minutes across 3 of my sites. It's simple and it
gives me the information I was looking for, hope it helps someone else.

I am mailing the administrators of the offending sites if I can find one
or the upstream if I can't. If we all do this maybe the stragglers will
get a clue.

What does it do?
1) tracks the information by request method, requested page, and
parameters passed ( code ).
    I figured it would be easy to see if yet another variant pops up
this way and it makes it small.
2) tracks the IP's and counts number of hits from each.
3) adds it all up and tells you.

Jason.

begin - C o d e R e d S t a t s

#!/usr/bin/perl -w -T
# No Copyright, No warranties, No Worries.
# Its not my fault if something goes wrong.
# For apache but easily ported.

use CGI;
$cgi = new CGI;
$detail = $cgi->param('detail');
$total = 0;
$start = undef;

print $cgi->header;
print $cgi->start_html(-title=>'CodeRed Log Dump',
-author=>'jason@brvenik.com');
open(LOG, "</path/to/your/apache/access-log");
while (<LOG>) {
   if ( $_ =~ /\.ida/ ) {
        ( $ip, undef, undef, $date_time, undef, $method, $request,
undef, undef ) = split(/ /,$_);
        $date_time = $date_time . "]";
        $start = $date_time unless defined $start;
        ( $page, $code ) = split(/\?/, $request);
        %unique->{$method}->{$page}->{$code}++;
        %hosts->{$ip}++;
        if ($detail) {
                print $cgi->br . "\n";
                print "from IP:" . $ip . $cgi->br , "\n";
                print "request method:" . $method . $cgi->br . "\n";
                print "page requested:" . $page . $cgi->br , "\n";
                print "code sent:" . $code . $cgi->br , "\n";
                print "at:" . $date_time . $cgi->br , "\n";
                print "Running Count:" .
$unique{$method}->{$page}->{$code} . $cgi->br . "\n";
        }
        $total++;
   };
}
close(LOG);

foreach $method_key (keys %unique ) {
    foreach $page_key (keys %{%unique->{$method_key}} ) {
        foreach $code_key (keys %{%unique->{$method}->{$page_key}} ) {
                print "total for method of " . $method_key . " page of "
. $page_key . " code of " . $code_key . $cgi->br . "\n";
                print "is " .
$unique{$method_key}->{$page_key}->{$code_key} . $cgi->br . "\n";
        }
    }
}
foreach $host_key (keys %hosts) {
        $unique_hosts++;
}
print "there have been " . $total . " ida requests since " . $start . "
from " . $unique_hosts . " unique hosts\n";
print $cgi->br;
print $cgi->br;
print $cgi->br;
print $cgi->br;

foreach $host_key (keys %hosts) {
        print $host_key . " has attempted " . $hosts{$host_key} . "
times" . $cgi->br . "\n";
}
print $cgi->end_html;

END - C o d e R e d S t a t s

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Image::EXIF troubles
    ... >> image files from digital cameras? ... # Testing Testing Testing ... my $q = new CGI; ... $exif = undef; ...
    (comp.lang.perl.misc)
  • CGI::uploadInfo returning undef?
    ... use CGI qw/all/; ... When I run this code both $upload_info1 AND $upload_info2 are undef?!? ... Prev by Date: ...
    (comp.lang.perl.misc)
Quantcast