------------------------------------------------------------ revno: 251 committer: Michael J. Flickinger <[email protected]> branch nick: administration timestamp: Sun 2010-12-19 15:27:12 -0500 message: Adding sql_injection_monitor script. added: maintenance/sql_injection_monitor
=== added file 'maintenance/sql_injection_monitor' --- a/maintenance/sql_injection_monitor 1970-01-01 00:00:00 +0000 +++ b/maintenance/sql_injection_monitor 2010-12-19 20:27:12 +0000 @@ -0,0 +1,125 @@ +#!/usr/bin/perl +# +# SQL Injection Log Monitor +# Copyright (C) 2010 - Michael J. Flickinger + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# Configuration +my $config = { + emails => ['[email protected]'], + log_file => '/var/log/apache2/access.log', + email_from => 'SQL Injection Log Monitor <[email protected]>', + subject => 'Possible SQL Injection Attack', +}; + +########################################################################### + +use File::Tail; +use URI::Escape; + +# this should run as a forked process, so check if this is already running + +sub is_running { grep { /sql_injection_monitor \[running\]/ } grep { !/grep/ } `ps aux` } + +sub fatal_error { die "fatal error: $_[0]\n" } + +sub main +{ + die "sql_injection_monitor is already running\n" if &is_running; + + if (fork()) + { + print "Started sql_injection_monitor.\n"; + exit(0); + } + + # this is a little evil + $0 = 'sql_injection_monitor [running]'; + + my $log_file = $config->{log_file}; + + return &fatal_error("Log file: '$log_file' does not exist.") + unless -e $log_file; + + &monitor_file($log_file); +} + +sub monitor_file +{ + my $file = shift; + + my $ft = File::Tail->new( + name => $file, + maxinterval => 1, + adjustafter => 1, + ); + while (defined(my $line = $ft->read)) { + &validate($line); + } +} + +sub validate +{ + my $line = shift; + # add readability to input + $line = uri_unescape($line); + + if ( + ( + $line =~ /union/i or + $line =~ /from/i + ) + and + ( + $line =~ /select/i and + $line =~ /\(|\)/i + ) + ) + { + my $remote_addr = (split(/ /, $line))[0]; + my $message_body = qq[ +Possible SQL injection attack with the following apache access_log entry: + +$line +]; + &mail({ + body => $message_body, + from => $config->{email_from}, + to => join(', ', @{$config->{emails}}), + subject => join(' - ', $config->{subject}, $remote_addr), + }); + } +} + +sub mail +{ + my $message = shift; + + open MAIL, '|/usr/lib/sendmail -i -t' or die 'Cannot open sendmail.'; + + print MAIL "To: $message->{to}\n"; + print MAIL "From: $message->{from}\n"; + print MAIL "Subject: $message->{subject}\n"; + print MAIL "\n"; + print MAIL $message->{body}; + close(MAIL); +} + +&main(); + + + +
_______________________________________________ Savannah-cvs mailing list [email protected] http://lists.gnu.org/mailman/listinfo/savannah-cvs
