Re: apache and nimbda

Tue, 29 Jan 2002 08:30:47 -0800 

Le Tue, Jan 29, 2002 at 01:55:12PM +0100, Vincent Haverlant a �crit:
| 
| And the script (logfilter.py) itself is attached is attached. It could
| be adapted to call iptables.
| 

Forgot the attachment...

Vincent.
-- 
   .~.          Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\          MUD -- FranDUMII (telnet:frandum.enst.fr:2001)
  /( )\         Parinux (www.parinux.org)
  ^^-^^  "There is no system but GNU, and Linux is one of its kernels"

#!/usr/bin/python2
# (C) Vincent Haverlant 2001

import sys, re, time;

file_in = sys.__stdin__;
file_out = sys.__stdout__;

logfiletr_version = "$Id: logfilter.py,v 1.2 2001/10/01 13:40:07 vincent Exp $";

# access.log HTTP nimda 408 exemple
# 193.251.44.55 - - [30/Sep/2001:06:36:55 +0200] "-" 408 - "-" "-"
LOG_RE_STR = "^(?P<IP>([0-9]{1,3}\.){3}[0-9]{1,3})([ \t]-){2}[ \t](?P<DATE>\[.*\])[ 
\t\"-]+408[ \t\"-]+$"
log_re = re.compile(LOG_RE_STR);

# 193.251.30.95 - - [12/Oct/2001:12:46:51 +0200] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 200 43232
LOG_RE_NIMDA1 = "^(?P<IP>([0-9]{1,3}\.){3}[0-9]{1,3})([ \t]-){2}[ \t](?P<DATE>\[.*\])[ 
\t](?P<REQ>\"GET.*\.exe.*\").*$"
LOG_RE_NIMDA2 = "^(?P<IP>([0-9]{1,3}\.){3}[0-9]{1,3})([ \t]-){2}[ \t](?P<DATE>\[.*\])[ 
\t](?P<REQ>\"GET.*\.ida.*\").*$"
LOG_RE_NIMDA3 = "^(?P<IP>([0-9]{1,3}\.){3}[0-9]{1,3})([ \t]-){2}[ \t](?P<DATE>\[.*\])[ 
\t](?P<REQ>\"GET.*\.dll.*\").*$"
log_re_nimda1 = re.compile(LOG_RE_NIMDA1);
log_re_nimda2 = re.compile(LOG_RE_NIMDA2);
log_re_nimda3 = re.compile(LOG_RE_NIMDA3);

def print_log(message):
        file_out.write("[logfilter.py "+ time.strftime("%x 
%X",time.localtime(time.time())) +"] %s\n" %(message));
        
print_log("Starting file monitoring");

try:
        text_in=file_in.readline();
except: 
        print "Error reading file_in";
        sys.exit(0);

message_counter=0;
try:
        while (text_in):
                log_match = log_re.match(text_in);
                log_match_nimda1 = log_re_nimda1.match(text_in);
                log_match_nimda2 = log_re_nimda2.match(text_in);
                log_match_nimda3 = log_re_nimda3.match(text_in);
                if (log_match or log_match_nimda1 or log_match_nimda2 or 
log_match_nimda3):
                        message_counter = message_counter+1;
                        if message_counter==1:
                                print_log("HTTP request filtered maybe due to 
Nimda/Codered probe");
                else:
                        if message_counter > 1:
                                print_log("last message repeated %d times" 
%(message_counter));
                                message_counter=0;
                        file_out.write(text_in);        
                file_out.flush();
                text_in = file_in.readline();

except:
        print "Error in loop, exiting";
        sys.exit(0);
if message_counter > 1:
        file_out.write("last message repeated %d times\n" %(message_counter));

Attachment: msg00175/pgp00000.pgp
Description: PGP signature

Reply via email to