Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Extract modsecurity rule ID from modsec_audit.log
<?php
/***************
* Extract rule ID from modsecurity log
* and print TOP hits by rule ID
*
* @author github.com/odoucet
*
* useful when using mod_security as DETECTION_ONLY mode
*
* USAGE :
* Pipe content on stdin of this script.
* Prefer launching it with 'pv' to have progress :
* pv /var/log/modsec_audit.log |php this_script.php
*****************/
$ruleList = array(); // id => msg
$ruleHits = array(); // id => hits
$fp = fopen('php://stdin', 'r');
while ($line = fgets($fp, 2048)) {
if ($z = preg_match('@ \[id "([0-9]{1,})"\] \[msg "([^"]{1,})"\]@', $line, $r)) {
if (!isset($ruleHits[$r[1]])) {
$ruleList[$r[1]] = $r[2];
$ruleHits[$r[1]] = 0;
}
$ruleHits[$r[1]]++;
}
}
fclose($fp);
arsort($ruleHits);
$sumHits = array_sum($ruleHits);
$i = 0;
foreach ($ruleHits as $id => $hits) {
printf("#%5d %8d hits - %2d%% (%s)\n", $id, $hits, $hits/$sumHits*100, $ruleList[$id]);
$i++;
if ($i >= 50) break;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.