Maybe not exactly a full step, but you will understand later on why not.

In the ending of the article I mentioned that there is a wordpress plugin that does just that, it is called access log (duh) and you can download it from here. After installing the plugin and configuring it you may also want to decode the REQUEST_URI because that will help later on for analysis. Just add the rawurldecode function to the code:

$href = rawurldecode($_SERVER['REQUEST_URI']);

Another important step after installing/configuring the plugin would be to protect the log directory from unwanted visitors. I use a simple .htaccess file to accomplish the task. The following example denotes the rewrite rule I use:

RewriteRule ^(.*)$ http://insanesecurity.info [R=301,L]

If you’re a stranger towards .htaccess files you might be interested in, a short resource based article I wrote, .htaccess 101.

After a while of log harvesting you might be interested in analyzing the logs and find potential intruders/attackers. That’s when Scalp comes in.

Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET (By default, Apache does not log the HTTP/POST variable).

And this is the reason why we take a partial step, because it doesn’t support custom access log files, thus we cannot analyze POST requests. But let’s give Romain some time, as he’s working on a improved C++ version of it, which hopefully will have this feature.

Among Scalps features (options) are the following:

• tough: Will decode a part of potential attacks (this is done to use better the regexp from PHP-IDS in order to decrease the false-negative rate)
• period: Specify a time-frame to look at, all the rest will be ignored
• sample: Does a random sampling of the log lines in order to look at a certain percentage, this is useful when the user doesn’t want to do a full scan of all the log, but just ping it to see if there is some problem…
• attack: Specify what classes of vulnerabilities the tool will look at (eg, look only for XSS, SQL Injection, etc.)

The things that Scalp can find are: XSS, CSRF, SQL Injection, LFI, RFE (or RFI as some call it), DOS, Directory Transversal, Spam and Information Disclosure.

For more information you can visit the start page of the project here, or just go to the download section here. Almost forgot to mention, Scalp is a python script.

Not done just yet, Scalp works with PHP-IDS’s filters, so you’ll have to download the filter (xml) file from their website to get things working.

Enough said, hopefully Scalp will help you in preventing attackers, rather than helping you in attack forensics.