This is a great addition Christian! Yeah, let's chat about posting this data to a stats service that we can host on the ModSecurity site.
Sent from my iPhone On Oct 4, 2010, at 7:12 PM, "Christian Bockermann" <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > sounds like a nice plan by Ryan. > > I just extended my jwall-tools package to provide the information you > requested (either by > applying it onto a serial audit-log file or by applying it to a directory in > which case it will > recursively scan for audit-event data files). > > @Ryan: > Right now, the tools just output the data in plain text. I plan to provide > the data in CSV format > and XML format as well and though about providing an auto-upload function to > push the data to > a statistics-service (anonymously, of course). > (If you're interested in working on that jointly, just drop me a line) > > > The updated jwall-tools can be found at: > > https://secure.jwall.org/download/jwall-tools.jar > > The md5-checksum of that file is 4cc35f5d07d6503357907473307e7609 > These updates jwall-tools contain a new command "stats" which can be issued > as: > > java -jar jwall-tools.jar stats /path/to/audit.log > or > java -jar jwall-tools.jar stats /path/to/concurrent/audit/dir > > > The following is given as output of the above command: > > > [ch...@jwall: ~]$ java -jar jwall-tools.jar stats audit.log > .............................................................................................................................................................................................................................................................................................................................................................. > 53754 events processed in 16 seconds. > Event date range from 02/26/2010 08:00 to 09/03/2010 08:33. > > - ------------------------------------------------------ > Rule Messages: > 118 Detects JavaScript location/document property access and window > access obfuscation > 114 Detects common XSS concatenation patterns 1/2 > 51 The application is not available > 27 Detects possible includes and typical script methods > 24 Invalid request > 23 Possible HTTP Parameter Pollution Attack: Multiple Parameters > with the same Name. > 21 Request Missing an Accept Header > 20 Detects common XSS concatenation patterns 2/2 > 17 Detects obfuscated JavaScript script injections > 14 Comment Evasion Attempt7 > 13 Detects self-executing JavaScript functions > 8 Detects data: URL injections, VBS injections and common URI > schemes > 7 Detects JavaScript with(), ternary operators and XML predicate > attacks > 7 Detects basic directory traversal > 5 Detects JavaScript object properties and methods > 5 Detects common function declarations and special JS operators > 5 Detects self > 4 Detects JavaScript language constructs > 4 Detects nullbytes and other dangerous characters > 2 Host header is a numeric IP address > > - ------------------------------------------------------ > Rule-IDs: > 67 phpids-3 > 57 phpids-30 > 35 phpids-2 > 30 phpids-23 > 21 960015 > 17 970901 > 15 phpids-1 > 13 phpids-16 > 12 960913 > 12 phpids-31 > 8 hpp-1 > 7 phpids-27 > 7 phpids-7 > 5 phpids-25 > 5 phpids-8 > 4 phpids-converter-comment-evasion > 3 phpids-10 > 3 phpids-20 > 2 960017 > 2 phpids-39 > 1 phpids-17 > 1 phpids-6 > 1 phpids-62 > > - ------------------------------------------------------ > Tags: > 21 PROTOCOL_VIOLATION/MISSING_HEADER > 2 PROTOCOL_VIOLATION/IP_HOST > - ------------------------------------------------------ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFMql9fpc5/RcXDlTwRAjAIAJ9Ir67ie/BhHvk/q/iKVHxzbJKGwACeK5/1 > /4G55FMohjj4DxZVCdjpyGg= > =pMZK > -----END PGP SIGNATURE----- > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
