GitHub - rmkml/etplc

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 384 Commits
LICENSE		LICENSE
README		README
emergingall_sigs_snort290b.rules		emergingall_sigs_snort290b.rules
etplc.pl		etplc.pl
etplc.py		etplc.py
etplc_elasticsearch.pl		etplc_elasticsearch.pl
etplc_splunk.pl		etplc_splunk.pl

Repository files navigation

Welcome E.T. Proxy Logs Checker [ETPLC].

Started a new Open Source project for Checking Proxy Logs with Emerging Threats Open rules.

It's a production ready version, all feedback is welcome.

Follow project on http://etplc.org or http://sourceforge.net/projects/etplc/ or https://github.com/rmkml/etplc.

Native Perl version and new version based on Python (v3 and v2) script.

The new initial version Splunk "Connector" with ETPLC project here.

The Elasticsearch "Connector" with ETPLC project here.

How it's work:

Before, check if you use last Emerging Threats Open rules on download page.

perl:
realtime: tail -f /var/log/messages | perl etplc.pl -f emergingall_sigs_snort290b.rules
realtime through syslog: tail -f /var/log/messages | perl etplc.pl -s -f emergingall_sigs_snort290b.rules
offline, cat /var/log/messages | perl etplc.pl -f emergingall_sigs_snort290b.rules

python2:
realtime: tail -f /var/log/messages | python2 etplc.py2 -f emergingall_sigs_snort290b.rules
realtime through syslog: tail -f /var/log/messages | python2 etplc.py2 -s -f emergingall_sigs_snort290b.rules
offline, cat /var/log/messages | python2 etplc.py2 -f emergingall_sigs_snort290b.rules

python3:
realtime: tail -f /var/log/messages | python3 etplc.py3 -f emergingall_sigs_snort290b.rules
realtime through syslog: tail -f /var/log/messages | python3 etplc.py3 -s -f emergingall_sigs_snort290b.rules
offline, cat /var/log/messages | python3 etplc.py3 -f emergingall_sigs_snort290b.rules

new option Category restrict Logs Checking,
if your Logs contains ProxyLogs use -c proxy, if your Logs contains WebServer use -c webserver, by default or without this option use any logs checking.

if you need debug, enable on command line: -d

if you run etplc script and you have this error:
aucun parser ne correspond au motif !!! ...
-> sorry etplc unrecognized your logs, please submit to the list.

Don't forget, for best recognize vulnerabilities, you need enable extra logs options like Referer/User-Agent/Cookie.

Etplc project recognize SSL Connect on your logs, if not please submit to the list.

Thx you Emerging Threats Open Community.

ETPLC script design on 3 parts:

- first load and convert Emerging Threats Open rules
- second parse Proxy Logs
- third matching ET_rules <=> Proxy_logs

You can follow ETPLC project on [email protected]

Contact: [email protected] / Twitter: @Rmkml

Etplc project src code are under the GPLv2.
A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html

Follow @Rmkml