-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathdetect_http_attack.conf
127 lines (116 loc) · 3.04 KB
/
detect_http_attack.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#
# Detect HTTP Attack
#
# Configuration file
#
#=========================
#=========================
# Exclueded access targets
#==========================
#
# Excluded hosts (comma-separated)
exc_hosts=127.0.0.1
# Excluded User-Agent (regular expression with ignored case)
exc_ua_match=bot|google
# Excluded path (regular expression)
exc_path_match=\.(js|css|jpg|gif|png|ico)$
#==================
# Output Template
#==================
#
# Template consists of three lines 'head', 'body' and 'foot'.
# Attack log treats sequential accesses from each host as BLOCK.
# 'head' is a first line of BLOCK.
# 'body' is a line for each access.
# 'foot' is a last line of BLOCK.
#
# If '-n' flag is specified,
# attack access is printed as 'serr' line to STDERR
# whenever they are detected.
#
# Each line is specified escape sequences and fields.
# Field name begins with '$'.
#
#
# == Field List ==
#
# = Apache, Nginx Combined Log Format =
#
# > $host $ident $user [$time] "$req" $status $size $referer "$ua"
# > 66.249.XX.XX - - [10/Feb/2013:10:27:45 +0900] "GET / HTTP/1.1" 200 1500 "-" "Searchbot/2.1"
#
# host = 66.249.XX.XX
# ident = -
# user = -
# time = 10/Feb/2013:10:27:45 +0900
# req = GET / HTTP/1.1
# status = 200
# size = 1500
# referer = -
# ua = Searchbot/2.1
#
# And futhermore, req is broken down into method, path and version.
#
# method = GET
# path = /
# version = HTTP/1.1
#
#
# = LTSV Format =
#
# Field name is applied to each label.
# And futhermore, req is broken down into method, path and version.
#
#
# == Formats ==
#
# = Terminal View Format for "tail -f access_log | " =
#
# head is host, count, ua.
# host that is IP address or Hostname is cyan bold.
# count that is the number of sequential access is magenta.
# ua that is User-Agent is green.
#
# body is date, status, path, size.
# date is access date time by Ruby standard output.
# status is HTTP status code.
# path is the request path of URL.
# referer is HTTP Referer.
#
# foot is empty line.
#
# serr is red host, count, ua, date, status, path and referer at two lines.
#
head=\e[36m\e[1m$host\e[0m\t\e[35m$count\e[0m\t\e[32m$ua\e[0m\n
body=$date\t$status\t$path\t$referer\n
foot=\n
serr=\e[31m\e[1m$host\e[0m\t\e[33m\e[1m$count\e[0m\t$ua\n$date\t$status\t$path\t$referer\n\n
#
# = Terminal View Format without color sequences =
#
#head=$host\t$count\t$ua\n
#body=$date\t$status\t$path\t$referer\n
#foot=\n
#serr=$host\t$count\t$ua\n$date\t$status\t$path\t$referer\n\n
#
# = LTSV format =
#
# head and foot aren't output.
# body is time, host and req.
#
##head=
#body=time:[$time]\thost:$host\treq:$req\n
##foot=
#serr=time:[$time]\thost:$host\treq:$req\n
# == Date Format ==
#
# Specify output format of 'date' field
#
# The default is ISO 8601 format. ex. 2001-02-03T04:05:06-07:00
# For detail of definition, refer to
# http://www.ruby-doc.org/stdlib-1.9.3/libdoc/date/rdoc/DateTime.html#method-i-strftime
#
#
# ISO 8601 format without Time zone offset
# ex) 2001-02-03T04:05:06
#date_format=%Y-%m-%dT%H:%M:%S