Apache Logfile Security Analyzer
Switch branches/tags
Nothing to show
Clone or download
Latest commit 3960fa7 Jul 15, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
geoip Updated GeoIP information Dec 14, 2015
papers Remove obsolete papers Mar 28, 2014
pchart LORG (HiP_2013 release) Jun 20, 2013
phpids Updated Config Jul 5, 2013
viewer Icon links fixed May 15, 2014
LICENSE.md moved include/* into main code. fixed some bugs. Jun 23, 2013
README.md Added Requirements Jul 13, 2016
lorg Corrected: Enable use of multiple -d options Oct 10, 2013

README.md

LORG

A tool for advanced HTTPD logfile security analysis and forensics

Web server log files are the primary source of information to reconstruct the course of events if your website got pwned due to vulnerable web applications. However, extracting the relevant information from huge files can be a difficult task. LORG is a tool aimed at security professionals and administrators to simplify the job of finding the 'needle in a haystack' (aka vulnerable web application) in the scenario of post-attack forensics. It aims to implement various state of the art approaches to detect attacks against web applications within HTTP traffic logs (e.g. Apache's access_log), including signature-based, statistical and machine learning techniques. Detected incidents are subsequently grouped into sessions which are classified as 'hand-crafted' or automated to distinguish whether the attacker is a man or a machine. In addition, geotargeting and DNSBL lookups can be performed to see if the attacks originate from a certain geolocation or botnet. Furthermore attacks can be quantified in terms of success or failure, based on anomalies within the size of HTTP responses, HTTP response codes or active replay of suspicious requests.

Pre-alpha. Previously developed as WebForensik.

Requirements

In order to run LORG, you need PHP and the following PHP extensions:

  • pcntl
  • simplexml
  • filter
  • mbstring
  • ctype

To install PHP and this extensions on FreeBSD systems, from binary packages, you can run (for instance for PHP version 5.6):

# pkg install php56 php56-pcntl php56-simplexml php56-filter php56-mbstring php56-ctype

Also consider raising memory_limit in php.ini to avoid errors when parsing large files.

Getting started

The easiest way to install LORG is to clone the GitHub repository:

$ git clone https://github.com/jensvoid/lorg

To get started, please read the documentation in the Wiki. For the impatient, try something like:

$ ./lorg -d phpids -u -g /path/to/access_log

Usage

Usage: lorg [-i input_type] [-o output_type] [-d detect_mode]
            [-a add_vector] [-c client_ident] [-b dnsbl_type]
            [-q quantification] [-t threshold] [-v verbosity]
            [-n] [-u] [-h] [-g] [-p] input_file [output_file]

 -i allowed input formats: common combined vhost logio cookie
 -o allowed output formats: html json xml csv
 -d allowed detect modes: chars phpids mcshmm dnsbl geoip all
 -a additional attack vectors: path argnames cookie agent all
 -c allowed client identfiers: host session user logname all
 -b allowed dnsbl types: tor proxy zombie spam dialup all
 -q allowed quantification types: status bytes replay all
 -t threshold level as value from 0 to n (default: 10)
 -v verbosity level as value from 0 to 3 (default: 1)
 -n do not summarize results, output single incidents
 -u urldecode encoded requests (affects reports only)
 -h try to convert numerical addresses into hostnames
 -g enable geotargeting (separate files are needed!)
 -p perform a naive tamper detection test on logfile

Additional Resources