Tag Archives: modsec2

Search modsecurity logs more easily

Searching a SERIAL modsec audit log can be a pain. The reports are spread over various sections, and require grepping over multiple lines which is, well, not possible.

cPanel/WHM creates the logfile in /usr/local/apache/logs/modsec_audit.log

This perl script will search the log for Intercepted requests for a particular IP address

  1. #!/usr/bin/perl
  2.  
  3. # usage modsearch.pl [optional ip address]
  4.  
  5. my $ip;
  6.  
  7. if ($#ARGV == 0 ) {
  8. $ip = $ARGV[0];
  9. }
  10. # you can comment out this line to search for things other than IP address
  11. if ($ip !~ /(\d{1,3}\.){3}\d{1,3}/) {$ip='.';}
  12.  
  13. my $modseclog = '/usr/local/apache/logs/modsec_audit.log';
  14.  
  15. if (open LOGF, "<$modseclog") {
  16. # read log into array
  17. my $chunk, $line, $count;
  18. while (($chunk = <LOGF>) && !eof) {
  19. # go hunting for A entry
  20. if ($chunk =~ /--[\d\w]+-A--/) {
  21. do {
  22. $line = <LOGF>;
  23. $chunk .= $line;
  24. } until ($line =~ /--[\d\w]+-Z--/ || eof)
  25. }
  26. if ($chunk =~ m/${ip}.*Intercepted/s) {
  27. $count++;
  28. print $chunk;
  29. }
  30. }
  31. close LOGF;
  32. print $count, " matches found.\n";
  33. }

This script will output the complete sections (between A and Z) for each incident, making it much easier to track down problems.

Ziphost – Protect your website from malware

To cut a long story short – if you want to protect your online presence from hackers, and avoid getting banned from Google, then you can do a lot worse than host your website with Ziphost, our sister company.

Yes, this is a bit of shameless self promotion, but we want people to understand that unlike almost every other hosting provider in the UK, Ziphost provide an extra level of protection by offering SecurityBoost on ALL hosting accounts. Read More…