Scalp: Log Analyzer Finds Web Attacks

Sep 17, 2008

Romain Gaucher, a specialist in web security, offers his Scalp tool in version 0.4. The log analyzer searches for attacks on Apache web applications.

Scalp’s Python script uses regular expressions of the PHP Intrusion Detection System (PHPIDS) project that monitors attacks on PHP applications. Methods used include cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection. Because the Apache web server in its standard form does not employ POST request variables, it can detect only GET request attacks.

The tool outputs its results as a report in text, XML or HTML format (here an example).

Scalp sorting search results
Scalp can sort its search results by type of attack, as a formatted HTML page.

In its standard form, the script can handle Apache logs of more than 100 megabytes without a problem, according to Gaucher. Limiting the analysis to a timeframe and a particular type of attack can further reduce the search time for large data sets. The program also allows spot checks in large log files.

The tool consists of a single Python script. Users will also need to download a default filter file. Both are available on the project home page.

Romain Gaucher is currently working on a C++ version of his program.

Related content

  • Security Lessons

    Sometimes, even ING, YouTube, The New York Times, and Google get it wrong.

  • XSA Attack

    A new form of phishing attack deposits an HTML tag on the vulnerable service to trap users into authenticating.

  • Intrusion 101

    You need to think like an attacker to keep your network safe. We asked security columnist Kurt Seifried for an inside look at the art of intrusion.

  • Honeypots for the Pi

    Adding a honeypot to your network will slow down attackers and warn you that intruders are on the wire.

  • Security Lessons

    Learn more about protecting your website with NoScript, ModSecurity, and Site Security Policy.

comments powered by Disqus