C o d e R e d Stats script

[Jason Brvenik <jason () brvenik com>]

Hi all,

  I am sure that many of you have done this already but I haven't seen
the like posted so here it is. Yeah, too late and too short but I still
see probes every 3 minutes across 3 of my sites. It's simple and it
gives me the information I was looking for, hope it helps someone else.

I am mailing the administrators of the offending sites if I can find one
or the upstream if I can't. If we all do this maybe the stragglers will
get a clue.

What does it do?
1) tracks the information by request method, requested page, and
parameters passed ( code ).
    I figured it would be easy to see if yet another variant pops up
this way and it makes it small.
2) tracks the IP's and counts number of hits from each.
3) adds it all up and tells you.

Jason.


begin - C  o  d  e  R  e  d  S  t  a  t  s

#!/usr/bin/perl -w -T
# No Copyright, No warranties, No Worries.
# Its not my fault if something goes wrong.
# For apache but easily ported.


use CGI;
$cgi = new CGI;
$detail = $cgi->param('detail');
$total = 0;
$start = undef;

print $cgi->header;
print $cgi->start_html(-title=>'CodeRed Log Dump',
-author=>'jason () brvenik com');
open(LOG, "</path/to/your/apache/access-log");
while (<LOG>) {
   if ( $_ =~ /\.ida/ ) {
        ( $ip, undef, undef, $date_time, undef, $method, $request,
undef, undef ) = split(/ /,$_);
        $date_time = $date_time . "]";
        $start = $date_time unless defined $start;
        ( $page, $code ) = split(/\?/, $request);
        %unique->{$method}->{$page}->{$code}++;
        %hosts->{$ip}++;
        if ($detail) {
                print $cgi->br . "\n";
                print "from IP:" . $ip . $cgi->br , "\n";
                print "request method:" . $method . $cgi->br . "\n";
                print "page requested:" . $page . $cgi->br , "\n";
                print "code sent:" . $code . $cgi->br , "\n";
                print "at:" . $date_time . $cgi->br , "\n";
                print "Running Count:" .
$unique{$method}->{$page}->{$code} . $cgi->br . "\n";
        }
        $total++;
   };
}
close(LOG);

foreach $method_key (keys %unique ) {
    foreach $page_key (keys %{%unique->{$method_key}} ) {
        foreach $code_key (keys %{%unique->{$method}->{$page_key}} ) {
                print "total for method of " . $method_key . " page of "
. $page_key . " code of " . $code_key . $cgi->br . "\n";
                print "is " .
$unique{$method_key}->{$page_key}->{$code_key} . $cgi->br . "\n";
        }
    }
}
foreach $host_key (keys %hosts) {
        $unique_hosts++;
}
print "there have been " . $total . " ida requests since " . $start . "
from " . $unique_hosts . " unique hosts\n";
print $cgi->br;
print $cgi->br;
print $cgi->br;
print $cgi->br;

foreach $host_key (keys %hosts) {
        print $host_key . " has attempted " . $hosts{$host_key} . "
times" . $cgi->br . "\n";
}
print $cgi->end_html;

END - C  o  d  e  R  e  d  S  t  a  t  s


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com