[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] /srv/bzr/administration r251: Adding sql_injection_monito
From: |
Michael J. Flickinger |
Subject: |
[Savannah-cvs] /srv/bzr/administration r251: Adding sql_injection_monitor script. |
Date: |
Sun, 19 Dec 2010 15:27:12 -0500 |
User-agent: |
Bazaar (2.0.3) |
------------------------------------------------------------
revno: 251
committer: Michael J. Flickinger <address@hidden>
branch nick: administration
timestamp: Sun 2010-12-19 15:27:12 -0500
message:
Adding sql_injection_monitor script.
added:
maintenance/sql_injection_monitor
=== added file 'maintenance/sql_injection_monitor'
--- a/maintenance/sql_injection_monitor 1970-01-01 00:00:00 +0000
+++ b/maintenance/sql_injection_monitor 2010-12-19 20:27:12 +0000
@@ -0,0 +1,125 @@
+#!/usr/bin/perl
+#
+# SQL Injection Log Monitor
+# Copyright (C) 2010 - Michael J. Flickinger
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Configuration
+my $config = {
+ emails => ['address@hidden'],
+ log_file => '/var/log/apache2/access.log',
+ email_from => 'SQL Injection Log Monitor <address@hidden>',
+ subject => 'Possible SQL Injection Attack',
+};
+
+###########################################################################
+
+use File::Tail;
+use URI::Escape;
+
+# this should run as a forked process, so check if this is already running
+
+sub is_running { grep { /sql_injection_monitor \[running\]/ } grep { !/grep/ }
`ps aux` }
+
+sub fatal_error { die "fatal error: $_[0]\n" }
+
+sub main
+{
+ die "sql_injection_monitor is already running\n" if &is_running;
+
+ if (fork())
+ {
+ print "Started sql_injection_monitor.\n";
+ exit(0);
+ }
+
+ # this is a little evil
+ $0 = 'sql_injection_monitor [running]';
+
+ my $log_file = $config->{log_file};
+
+ return &fatal_error("Log file: '$log_file' does not exist.")
+ unless -e $log_file;
+
+ &monitor_file($log_file);
+}
+
+sub monitor_file
+{
+ my $file = shift;
+
+ my $ft = File::Tail->new(
+ name => $file,
+ maxinterval => 1,
+ adjustafter => 1,
+ );
+ while (defined(my $line = $ft->read)) {
+ &validate($line);
+ }
+}
+
+sub validate
+{
+ my $line = shift;
+ # add readability to input
+ $line = uri_unescape($line);
+
+ if (
+ (
+ $line =~ /union/i or
+ $line =~ /from/i
+ )
+ and
+ (
+ $line =~ /select/i and
+ $line =~ /\(|\)/i
+ )
+ )
+ {
+ my $remote_addr = (split(/ /, $line))[0];
+ my $message_body = qq[
+Possible SQL injection attack with the following apache access_log entry:
+
+$line
+];
+ &mail({
+ body => $message_body,
+ from => $config->{email_from},
+ to => join(', ', @{$config->{emails}}),
+ subject => join(' - ', $config->{subject}, $remote_addr),
+ });
+ }
+}
+
+sub mail
+{
+ my $message = shift;
+
+ open MAIL, '|/usr/lib/sendmail -i -t' or die 'Cannot open sendmail.';
+
+ print MAIL "To: $message->{to}\n";
+ print MAIL "From: $message->{from}\n";
+ print MAIL "Subject: $message->{subject}\n";
+ print MAIL "\n";
+ print MAIL $message->{body};
+ close(MAIL);
+}
+
+&main();
+
+
+
+
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] /srv/bzr/administration r251: Adding sql_injection_monitor script.,
Michael J. Flickinger <=