Created
March 31, 2015 18:34
-
-
Save rorysavage77/b5954e00090eec85cfdc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/ruby | |
| ################################################################## | |
| ## modruby - a tools for parsing the modsecurity audit logs and ## | |
| ## taking action. ## | |
| ################################################################## | |
| $modSecurityLog="./logs/modsec_audit.log" | |
| $securityString1="POST /activfoundation/login/oauth/facebook/callback" | |
| $securityString2="HTTP/1.1 400 Bad Request" | |
| $count=0 | |
| $/ = "-Z--\n"; ## Input Record Seperator to create chunk | |
| file = File.open("./logs/modsec_audit.log", "r") | |
| file.each_line do |chunk| | |
| if chunk.include?("#{$securityString1}") | |
| $count += 1 | |
| puts "######################################################" | |
| puts "Entry found for search String (#{$securityString1})" | |
| puts "######################################################" | |
| $/ = "\n"; | |
| chunk.each_line do |line| | |
| if line =~ /CF-Connecting-IP: (\d+.\d+.\d+.\d+)/ | |
| cfConntingIp = line.split("CF-Connecting-IP: ", 2) | |
| puts cfConntingIp | |
| end | |
| end | |
| #print chunk | |
| end | |
| end | |
| file.close | |
| puts "Count: #{$count}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment