Scalp get the regular expression from the PHP-IDS and matches the lines from the acces.log file. This script is written in python and needs a XML which contains the rules to detect the attacks.
You can download Scalp here.
You can download the XML file here.
See below Scalp help. It's interesting run the script and only make searches for xss, sqli, dos.. . attacks.
$ ./scalp-0.4.py --help Scalp the apache log! by Romain Gaucher - http://rgaucher.info usage: ./scalp.py [--log|-l log_file] [--filters|-f filter_file] [--period time-frame] [OPTIONS] [--attack a1,a2,..,an] [--sample|-s 4.2] --log |-l: the apache log file './access_log' by default --filters |-f: the filter file './default_filter.xml' by default --exhaustive|-e: will report all type of attacks detected and not stop at the first found --tough |-u: try to decode the potential attack vectors (may increase the examination time) --period |-p: the period must be specified in the same format as in the Apache logs using * as wild-card ex: 04/Apr/2008:15:45;*/Mai/2008 if not specified at the end, the max or min are taken --html |-h: generate an HTML output --xml |-x: generate an XML output --text |-t: generate a simple text output (default) --except |-c: generate a file that contains the non examined logs due to the main regular expression; ill-formed Apache log etc. --attack |-a: specify the list of attacks to look for list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi the list of attacks should not contains spaces and comma separated ex: xss,sqli,lfi,ref --output |-o: specifying the output directory; by default, scalp will try to write in the same directory as the log file --sample |-s: use a random sample of the lines, the number (float in [0,100]) is the percentage, ex: --sample 0.1 for 1/1000
We ran Nikto and some Metasploit modules against one of my own Apache web servers and then, I analyzed the access.log with Scalp.
python scalp-0.4.py -l /var/log/apache2/access.log -f default_filter.xml -o scalp-output/ --html
I've taken some pictures of the Scalp html report. You can see SQL Injection, Local File Inclusion and Cross Site Scripting attacks.