Scalp is a log analyzer for the Apache web server written by Romain Gaucher. The goal of this tool is to search through the apache log files and detect the possible attacks that have been sent through HTTP/GET.
Scalp get the regular expression from the PHP-IDS and matches the lines from the acces.log file. This script is written in python and needs a XML which contains the rules to detect the attacks.
You can download Scalp here.
You can download the XML file here.
See below Scalp help. It's interesting run the script and only make searches for xss, sqli, dos.. . attacks.
We ran Nikto and some Metasploit modules against one of my own Apache web servers and then, I analyzed the access.log with Scalp.
I've taken some pictures of the Scalp html report. You can see SQL Injection, Local File Inclusion and Cross Site Scripting attacks.
![]()
![]()
![]()
Scalp get the regular expression from the PHP-IDS and matches the lines from the acces.log file. This script is written in python and needs a XML which contains the rules to detect the attacks.
You can download Scalp here.
You can download the XML file here.
See below Scalp help. It's interesting run the script and only make searches for xss, sqli, dos.. . attacks.
$ ./scalp-0.4.py --help
Scalp the apache log! by Romain Gaucher - http://rgaucher.info
usage: ./scalp.py [--log|-l log_file] [--filters|-f filter_file] [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
[--sample|-s 4.2]
--log |-l: the apache log file './access_log' by default
--filters |-f: the filter file './default_filter.xml' by default
--exhaustive|-e: will report all type of attacks detected and not stop
at the first found
--tough |-u: try to decode the potential attack vectors (may increase
the examination time)
--period |-p: the period must be specified in the same format as in
the Apache logs using * as wild-card
ex: 04/Apr/2008:15:45;*/Mai/2008
if not specified at the end, the max or min are taken
--html |-h: generate an HTML output
--xml |-x: generate an XML output
--text |-t: generate a simple text output (default)
--except |-c: generate a file that contains the non examined logs due to the
main regular expression; ill-formed Apache log etc.
--attack |-a: specify the list of attacks to look for
list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
the list of attacks should not contains spaces and comma separated
ex: xss,sqli,lfi,ref
--output |-o: specifying the output directory; by default, scalp will try to write
in the same directory as the log file
--sample |-s: use a random sample of the lines, the number (float in [0,100]) is
the percentage, ex: --sample 0.1 for 1/1000
We ran Nikto and some Metasploit modules against one of my own Apache web servers and then, I analyzed the access.log with Scalp.
python scalp-0.4.py -l /var/log/apache2/access.log -f default_filter.xml -o scalp-output/ --html
I've taken some pictures of the Scalp html report. You can see SQL Injection, Local File Inclusion and Cross Site Scripting attacks.
