Forked from rorysavage77/gist:b5954e00090eec85cfdc
Last active
August 29, 2015 14:18
-
-
Save baweaver/61286bc927766ab905b9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/ruby | |
| ################################################################## | |
| ## modruby - a tools for parsing the modsecurity audit logs and ## | |
| ## taking action. ## | |
| ################################################################## | |
| $modSecurityLog="./logs/modsec_audit.log" | |
| $securityString1="POST /activfoundation/login/oauth/facebook/callback" | |
| $securityString2="HTTP/1.1 400 Bad Request" | |
| $count=0 | |
| $/ = "-Z--\n"; ## Input Record Seperator to create chunk | |
| file = File.open("./logs/modsec_audit.log", "r") | |
| file.each_line do |chunk| | |
| if chunk.include?("#{$securityString1}") | |
| $count += 1 | |
| puts "######################################################" | |
| puts "Entry found for search String (#{$securityString1})" | |
| puts "######################################################" | |
| $/ = "\n"; | |
| chunk.each_line do |line| | |
| if line =~ /CF-Connecting-IP: (\d+.\d+.\d+.\d+)/ | |
| cfConntingIp = line.split("CF-Connecting-IP: ", 2) | |
| puts cfConntingIp | |
| end | |
| end | |
| #print chunk | |
| end | |
| end | |
| file.close | |
| puts "Count: #{$count}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment