Analyse Apache logs for hacking attempts

MortimerCat
MortimerCat used Ask the Experts™
on
I am looking for software (either open source or licensed) that will analyse apache logs.  However, I am not after the usual analysis of my website visitors. I am more interested in the strange entries (possible hacking attempts) within my logs.

Is there any software that will spot entries like
"GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 300 "-" "-"
 or
"GET //mysql/main.php HTTP/1.1" 404 242 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
or
"GET //pp/anp.php?a=%5DQJWQT_E%40ZG%5C&b=1155&c=b44a HTTP/1.1" 404 236 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

and provide meaningful analysis like
Attempt to find MYSQL control panel by IP 000.000.000.00 - did not succeed.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I do not know of any system that does this.  
The reason..... these attacks change each day.  As a new vulnerablilty is anounced a few hackers will write code or attacks for it.  These will start to show up in the log files and then stop or dies down in a few months when it is patched on most systems.

I do not think anyone keeps any software up to date that does this.

There are two other methods you could use.

1. Add a path to your urls.  Have the first page as index.html (or whatever) and then move all other pages into a subsirectory.
so you have
www.domain.com/index.html
www.domain.com/site/main.html
www.domain.com/site/faq.html

you could then search for pages that did not fit that pattern.
If you use a linux system you culd do something like

cat access | grep -v "site" | grep -v "index.html"

This will give you all the pages that do not fit your naming system.

2. A honey pot.  Its not a million miles away from the above suggestion.  You set up a site that doesn't do anything but monitor for people activity.  If the hackers have found it (or rather their robotic tools have found it) then all the requests will probably be hack attempts.

Author

Commented:
I think the lack of comments has answered the question.

I suppose extracting the 404's (page not found) requests would be a start, although these are failed hacking attempts. The problem is when the hacker finds a vulnerable page.

Being able to eliminate known spiders from the log would be handy too.
> .. extracting the 404
this is a first start, yes

Are you familar with some tools like egrep or perl? then you can build your own extraction tool, just a few single command lines.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial