odoucet/modsecurity_id_extractor.php

## modsecurity_id_extractor.php
<?php
/***************
 * Extract rule ID from modsecurity log
 * and print TOP hits by rule ID
 *
 * @author github.com/odoucet
 *
 * useful when using mod_security as DETECTION_ONLY mode
 *
 * USAGE :
 * Pipe content on stdin of this script.
 * Prefer launching it with 'pv' to have progress :
 *  pv /var/log/modsec_audit.log |php this_script.php
 *****************/

$ruleList = array(); // id => msg
$ruleHits = array(); // id => hits

$fp = fopen('php://stdin', 'r');

while ($line = fgets($fp, 2048)) {
    if ($z = preg_match('@ \[id "([0-9]{1,})"\] \[msg "([^"]{1,})"\]@', $line, $r)) {

        if (!isset($ruleHits[$r[1]])) {
            $ruleList[$r[1]] = $r[2];
            $ruleHits[$r[1]] = 0;
        }
        $ruleHits[$r[1]]++;
    }

}
fclose($fp);

arsort($ruleHits);

$sumHits = array_sum($ruleHits);

$i = 0;
foreach ($ruleHits as $id => $hits) {
    printf("#%5d %8d hits - %2d%% (%s)\n", $id, $hits, $hits/$sumHits*100, $ruleList[$id]);
    $i++;

    if ($i >= 50) break;
}
	<?php
	/***************
	* Extract rule ID from modsecurity log
	* and print TOP hits by rule ID
	*
	* @author github.com/odoucet
	*
	* useful when using mod_security as DETECTION_ONLY mode
	*
	* USAGE :
	* Pipe content on stdin of this script.
	* Prefer launching it with 'pv' to have progress :
	* pv /var/log/modsec_audit.log \|php this_script.php
	*****************/

	$ruleList = array(); // id => msg
	$ruleHits = array(); // id => hits

	$fp = fopen('php://stdin', 'r');

	while ($line = fgets($fp, 2048)) {
	if ($z = preg_match('@ \[id "([0-9]{1,})"\] \[msg "([^"]{1,})"\]@', $line, $r)) {

	if (!isset($ruleHits[$r[1]])) {
	$ruleList[$r[1]] = $r[2];
	$ruleHits[$r[1]] = 0;
	}
	$ruleHits[$r[1]]++;
	}

	}
	fclose($fp);

	arsort($ruleHits);

	$sumHits = array_sum($ruleHits);

	$i = 0;
	foreach ($ruleHits as $id => $hits) {
	printf("#%5d %8d hits - %2d%% (%s)\n", $id, $hits, $hits/$sumHits*100, $ruleList[$id]);
	$i++;

	if ($i >= 50) break;
	}