LogAn
is a tool to analyse SSL apache log files and scan for XSS, SQLi and File inclusion attempts in GET requests.
LogAn
can also detect privacy leaks in the form of email addresses present in GET requests, POST requests or HTTP referrer headers.
Attacks are detected primarily using regular expressions collated by the OWASP ModSecurity Core Rule Set project.
Python version > 3.6 is required. Additionally, a number of extra libraries need to be installed. This can be done using the commands below:
pip install ipaddress
pip install ua-parser
pip install regex
pip install configparser
git clone https://github.com/shanpandya/LogAn
The latest OWASP ModSec rules can be downloaded directly from the OWASP Github page (a copy can also be found on this page in the 'Filters_and_Rule_Sets' folder). The files required are :
REQUEST-930-APPLICATION-ATTACK-LFI.conf
REQUEST-941-APPLICATION-ATTACK-XSS.conf
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
lfi-os-files.data
restricted-files.data
These files should all be placed into a folder in the main directory named 'Filters_and_Rule_Sets'.
The latest 'crawler-user-agents.json' file should also be downloaded from:
https://github.com/monperrus/crawler-user-agents
This file should also be placed in the 'Filters_and_Rule_Sets' folder.
Setup.py
parses all the downloaded files and creates two folders named App_data
and Setup_Files
. The App_data
folder should be left alone and is required by LogAn
to run. Setup_Files
contains 3 files:
configuration_file.ini
: The user can edit this configuration file to adjust result filteringfalse_positive_SQL_regex.txt
: See 'Advanced filtering'false_positive_XSS_regex.txt
: See 'Advanced filtering'
To run Setup.py
, enter in the terminal/command line:
python Setup.py -defaults
This will create a configuration file with settings recommended for a first scan of log files
If you would like to create a blank configuration file with all options initially set to false, run Setup.py
without any command line arguments:
python Setup.py
Mark options in 'configuration_file.ini' to True
to modify scan parameters, then run LogAn.py
:
python LogAn.py DIRECTORY_WHERE_LOG_FILES_ARE_STORED
LogAn
will produce a file named 'Results.txt' with a list of detections.
Advanced filtering options to remove XSS and SQLi false positives are available, and custom regex can be added to 'false_positive_XSS_regex.txt' and 'false_positive_SQL_regex.txt' (these files are created after running Setup.py
.
Do not delete any lines from the template file. New comments in the file should be prefixed with ';'. By default, the parser will escape special characters. To do this manually for a line, prefix the regular expression with the '~' character.
This project was conducted as part of a UROP (Summer Research) placement at Imperial College London under the supervision of Dr Sergio Maffeis.