jensvoid / lorg Goto Github PK
View Code? Open in Web Editor NEWApache Logfile Security Analyzer
License: GNU General Public License v2.0
Apache Logfile Security Analyzer
License: GNU General Public License v2.0
I want to run this tool.
I have create a clone and also create log file in the same lorg directory
./lorg -d phpids -u -g /path/to/access_log
{AttackerIP} - GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Connection: keep-alive Host: {Our IP} User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
this is one log sample I have made from my data.
Kindly help mw out.
include some sample files/urls for testing.
I really like the idea and some of the features it has to offer. Thrilled to get this up and running, I quickly found myself disappointed due to the lack of proper documentation.
I installed this on SIFT, which is Ubuntu based. I had to install php5, php-cli and some other packages to get the tool to display it's help menu.
I am trying to scan the apache logs but it errors out:
PHP Fatal error: Class 'IDS_Monitor' not found in /home/sansforensics/Desktop/lorg-master/lorg on line 2037
I read the instructions but I am not sure if I followed them properly. It said in step 1 to get "PHPIDS from http://phpids.org, gunzip and untar, then mone IDS/ info the following directory..."
First of all, that link to PHPIDS is broken. Second, there are already some files in the './phpids/' directory. I am assuming PHPIDS came installed.
Finally, I tried to download and install PHPIDS but found out that the naming convention used in the instructions does not match the downloaded package. The instructions direct the user to copy 'IDS/' into the './phpids/' directory. But the downloaded package for PHPIDS does not have a 'IDS/' directory.
Can someone please help me get this project running?
Thank you
Is any of the data being used for log-forensics outdated here?
I am testing a log-file from a common CMS using the -d phpids
option and it doesn't output much. Further inspection of the ./phpids
folder shows that it was last updated 4 years ago.
While trying to perform the analysis, I got the fatal error message:
Fatal error: Call to undefined function pcntl_signal() in lorg on line 946
Command used:
lorg -d phpids -u -i combined -g access-2013-08-20.log
Thanks
There is a lot of calls to http://simile.mit.edu in the code and that site is down
It would be nice if there were NO external calls so one could host it without other accesses to the internet then DNS.
I am still working on figuring out if i can change the code my self to avoid the errors :)
Regards Keld Norman
I had this error running lorg (LORG v0.41 | Sat Jun 15 20:20:22 CEST 2013):
./lorg -d phpids -u -g ~/ssl_access.log
[>] Creating summary for 'ssl_access.log'
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 76 bytes) in /usr/home/emi/lorg/lorg on line 1417
Hallo,
i'm testing lorg on ubuntu 16.04 (php5.6 and php7 both installed and tested).
So far the most things are working. Thank you:):)
.. but one problem with -o json everything seems to be processed ...
....
[>] Processing 210679 lines of input file 'test_access.l[>] Processing 210679 lines of input file 'test_access.l[>] Processing 210679 lines of input file 'test_access.log' [100%]
[>] Creating summary for 'test_access.log'
Found 496 incidents (2545 tags) from 9 clients
| sqli: 248 | id: 496 | lfi: 483 |
| xss: 433 | csrf: 404 | rfe: 298 |
| dt: 182 | dos: 1 |
[>] Check out 'report_09-May-2017-131513.json' for a complete report
but json file seems to be empty:
more 09-May-2017-131513.json only shows
{ items: [
] }
Any idea?
Regards,
Walter
Hi @jensvoid,
I have an Access Log with this fields:
date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes
.
I insert an allowed input format in the lorg file:
`'namext' => '%{%Y-%m-%d %H:%M:%S}t %h %<u %A %v %m %U "%r" %>s %O %I %O %T "%{User-agent}i" "%{Cookie}i" "%{Referer}i" "%a" "%{x-forward-for}i" "%{BALANCER_WORKER_IP}e" %I'
When I create the HTML output file, I notice that the time is assigned to the client ip. So %{%Y-%m-%d %H:%M:%S}t is considered like an only field and it doesn't separate the 'date' and the 'time' fields.
How can I do?
Thanks!
Valentina
`
On a installation on Ubuntu 16.04. I got tons of this error.
"[!] PHPIDS error occured: SimpleXML not loaded."
The report is empty.
I am getting a lot of these when i run Lorg
netstat -an
tcp 0 0 10.0.200.21:50796 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:15131 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:61494 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:33973 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:53600 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:56394 149.210.220.191:53 TIME_WAIT
It looks like related to a site that is not there anymore: "ns1.darkness-reigns.net"
Do you have any idea of where Lorg gets that dns server from ? or if it is related to running LORG ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.