-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
sounds like a nice plan by Ryan.
I just extended my jwall-tools package to provide the information you requested
(either by
applying it onto a serial audit-log file or by applying it to a directory in
which case it will
recursively scan for audit-event data files).
@Ryan:
Right now, the tools just output the data in plain text. I plan to provide the
data in CSV format
and XML format as well and though about providing an auto-upload function to
push the data to
a statistics-service (anonymously, of course).
(If you're interested in working on that jointly, just drop me a line)
The updated jwall-tools can be found at:
https://secure.jwall.org/download/jwall-tools.jar
The md5-checksum of that file is 4cc35f5d07d6503357907473307e7609
These updates jwall-tools contain a new command "stats" which can be issued as:
java -jar jwall-tools.jar stats /path/to/audit.log
or
java -jar jwall-tools.jar stats /path/to/concurrent/audit/dir
The following is given as output of the above command:
[ch...@jwall: ~]$ java -jar jwall-tools.jar stats audit.log
..............................................................................................................................................................................................................................................................................................................................................................
53754 events processed in 16 seconds.
Event date range from 02/26/2010 08:00 to 09/03/2010 08:33.
- ------------------------------------------------------
Rule Messages:
118 Detects JavaScript location/document property access and window
access obfuscation
114 Detects common XSS concatenation patterns 1/2
51 The application is not available
27 Detects possible includes and typical script methods
24 Invalid request
23 Possible HTTP Parameter Pollution Attack: Multiple Parameters with
the same Name.
21 Request Missing an Accept Header
20 Detects common XSS concatenation patterns 2/2
17 Detects obfuscated JavaScript script injections
14 Comment Evasion Attempt7
13 Detects self-executing JavaScript functions
8 Detects data: URL injections, VBS injections and common URI schemes
7 Detects JavaScript with(), ternary operators and XML predicate
attacks
7 Detects basic directory traversal
5 Detects JavaScript object properties and methods
5 Detects common function declarations and special JS operators
5 Detects self
4 Detects JavaScript language constructs
4 Detects nullbytes and other dangerous characters
2 Host header is a numeric IP address
- ------------------------------------------------------
Rule-IDs:
67 phpids-3
57 phpids-30
35 phpids-2
30 phpids-23
21 960015
17 970901
15 phpids-1
13 phpids-16
12 960913
12 phpids-31
8 hpp-1
7 phpids-27
7 phpids-7
5 phpids-25
5 phpids-8
4 phpids-converter-comment-evasion
3 phpids-10
3 phpids-20
2 960017
2 phpids-39
1 phpids-17
1 phpids-6
1 phpids-62
- ------------------------------------------------------
Tags:
21 PROTOCOL_VIOLATION/MISSING_HEADER
2 PROTOCOL_VIOLATION/IP_HOST
- ------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iD8DBQFMql9fpc5/RcXDlTwRAjAIAJ9Ir67ie/BhHvk/q/iKVHxzbJKGwACeK5/1
/4G55FMohjj4DxZVCdjpyGg=
=pMZK
-----END PGP SIGNATURE-----
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
