logids

1. <?php
2.  
3. if( !isset($_FILES['log']) ) {
4.     echo "<h3>Examinar logs de Apache (access.log)</h3>\n";
5.     echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">\n";
6.     echo "Archivo de Log: <input type=\"file\" name=\"log\">\n";
7.     echo "<input type=\"submit\" value=\"Enviar\">\n";
8.     echo "</form>\n";
9.     exit();
10. }
11.  
12. require_once 'IDS/Init.php';
13.  
14. try {
15.     $init = IDS_Init::init('IDS/Config/Config.ini.php');
16.     $init->config['General']['base_path'] = 'IDS/';
17.     $init->config['General']['use_base_path'] = true;
18.     $init->config['Caching']['caching'] = 'none';
19. } catch (Exception $e) {
20.     printf('An error occured: %s',$e->getMessage());
21.     exit();
22. }
23.  
24. $fdesc = fopen($_FILES['log']['tmp_name'], 'r');
25. if(!$fdesc) {
26.     echo "<p>Error al abrir el fichero de log</p>";
27.     exit();
28. }
29.  
30. $linea = fgets($fdesc);
31. $nlinea = 0;
32. while( $linea ) {
33.  
34.     $nlinea++;
35.    
36.     $patron = '/^([^ ]+) [^ ]+ [^ ]+ \[([^\]]+)\] "((?:[^"]*(?:\\\")*[^"]*)*)" ([^ ]+) ([^ ]+) "((?:[^"]*(?:\\\")*[^"]*)*)" "((?:[^"]*(?:\\\")*[^"]*)*)"\n$/';
37.     $matches = array();
38.     preg_match($patron, $linea, $matches);
39.    
40.     if(count($matches) != 8) {
41.         echo "<p>Error al parsear la linea $nlinea</p>\n";
42.         $linea = fgets($fdesc);
43.         continue;
44.     }
45.  
46.     $ipaddr = $matches[1];
47.     $datetime = $matches[2];
48.     $httpreq = stripslashes($matches[3]);
49.     $status = $matches[4];
50.     $resplen = $matches[5];
51.     $referer = stripslashes($matches[6]);
52.     $useragent = stripslashes($matches[7]);
53.  
54.  
55.     $patron = '/^([^ ]+) ([^ ]+) ([^ ]+)$/';
56.     $matches = array();
57.     preg_match($patron, $httpreq, $matches);
58.    
59.     if(count($matches) != 4) {
60.         echo "<p>Error al parsear la solicitud HTTP en la linea $nlinea</p>\n";
61.         $linea = fgets($fdesc);
62.         continue;
63.     }
64.    
65.     $method = $matches[1];
66.     $resource = $matches[2];
67.     $version = $matches[3];
68.  
69.     $partes = explode('?', $resource, 2);
70.     if(count($partes) == 2) {
71.         $uri = $partes[0];
72.         $params = explode('&', $partes[1]);
73.         $get = array();
74.  
75.         foreach($params as $param) {
76.             $aux = explode('=', $param, 2);
77.             if( count($aux) == 2) {
78.                 $varname = urldecode($aux[0]);
79.                 $varvalue = urldecode($aux[1]);
80.                 $get[$varname] = $varvalue;
81.             }
82.         }
83.        
84.         $ids = new IDS_Monitor($get, $init);
85.         $result = $ids->run();
86.        
87.         if (!$result->isEmpty()) {
88.             echo "<div style=\"font-size:0.8em;font-family:sans-serif;border:solid 1px #AAA;padding:10px;margin:10px;\">\n";
89.             echo "<h3 style=\"color:red;\">Ataque Detectado</h3>\n";
90.             echo "<p>\n";
91.             echo "<b>IP de origen:</b> $ipaddr<br/>\n";
92.             echo "<b>Fecha/Hora:</b> $datetime<br/>\n";
93.             echo "<b>Recurso:</b> " . htmlspecialchars($resource) . "<br/>\n";
94.             echo "<b>C&oacute;digo de respuesta:</b> $status<br/>\n";
95.             echo "<b>User-Agent:</b> " . htmlspecialchars($useragent) . "<br/>\n";
96.             echo "<b>Referer:</b> " . htmlspecialchars($referer) . "<br/>\n";
97.             echo "<b>Nro. de L&iacute;nea:</b> $nlinea<br/>\n";
98.             echo "</p><p><b>Detalle:</b><br/>\n";
99.             echo $result;
100.             echo "</p></div>\n";
101.         }
102.     }
103.  
104.     $linea = fgets($fdesc);
105. }