Instructions
Requirements and Specifications
As you are graduate level security professionals I will leave the types of attacks you extract up to you. Again, for every line after a "-B--" line that contains a potential attack in a GET/POST/OTHER request, you will insert the entire line of that log message as a record into your database. You will be graded on how well you were able to pull different types of attacks from the URL lines. Aim for finding at least two different types of attacks in the example modsecurity audit logs provided below.
The first thing your program will need to do is create the database table in a ".db" file. The schema for your table will be simple and will look like:
CREATE TABLE attacks(id INTEGER PRIMARY KEY, attack_line TEXT NOT NULL)
You only need to create the table if it doesn't already exist. Look into the SQL commands pages on how you can tell SQL to only create a table if it doesn't exist.
- modsec_audit.log Download modsec_audit.log
- modsec_audit.log.1 Download modsec_audit.log.1
- modsec_audit.log.2
Source Code
import sqlite3
if __name__ == '__main__':
# Define the attack keywords
attack_keywords = ["GET", "TRACE", "PUT", "POST"]
# First, create the DB
conn = sqlite3.connect('attacks.db')
c = conn.cursor()
# Create the Tables
c.execute('''
CREATE TABLE IF NOT EXISTS attacks
([id] INTEGER PRIMARY KEY AUTOINCREMENT,
[attack_line] TEXT NOT NULL)
''')
# Now, read the file
file_name = 'modsec_audit.log'
counter = 0 # Variable to count the number of attacks inserted into the database
with open(file_name, 'r') as file:
lines = file.readlines()
while len(lines) > 0:
line = lines.pop(0)
if "-B--" in line:
url_line = lines.pop(0)
# Check if the url_line contains an attakc keyword
for keyword in attack_keywords:
if keyword in url_line:
# Insert this url_line into the database
query = f"INSERT INTO attacks (attack_line) VALUES ('{url_line}');"
#print(query)
c.execute(query)
conn.commit()
counter += 1
break
conn.close()
print(f"{counter} attacks have been detected from file {file_name} and stored in the database.")