On Tue, Nov 03, 2009 at 11:50:25AM -0600, David Taveras wrote: > Hello, > > We have a site with about 2000 visits per day, and now the logging is > getting extremely hard to review, as security is number one the ideal > situation for me would be to be able to classify the output into > groups so that I as a sysadmin can be aware of all, know if there is a > increase of hits for a particular rule, and most important is to know > when Iam getting (or tried to) getting SQL/PHP injected. > > Is there a way without using commercial add-ons to classify all this > output and actually make sense of it, possibly by sending important > alerts? How do other people do this? > > Sure: best practice is to have secure PHP code.. but in an environment > where you cannot trust the code. This is my only path.
As a general rule, reviewing stuff that your firewall/filter has stopped isn't terribly useful. After all, it's only the stuff that it lets through that you care about... However, to answer your question, I have had good success with using sysutils/sec, the Simple Event Correlator (for syslog, but it's fairly generic.) I use a hackish sed script to allow some macros (like __IP__ for a regex matching IP addresses), and a generic preamble/post-amble to make sure that a log record is matched by exactly one rule in all files (one of the last rules matches and reports everything not matched by an earlier rule). With a bit of scripting, it can send mail (and presumably pager notifications). Be warned, though, that it's very generic and hence you'll have to write most of this stuff yourself. Joachim