E.T. Proxy Logs Checker [ETPLC]

Easy to use ETPLC open source project on Syslog-NG Technology:

- First Install Syslog-NG on your linux box (v3.5.6 on Ubuntu v16.04 LTS here)

- Second Install Perl + dependency (v5.22.1 here) and ETPLC on download page

- Change Syslog-NG configuration like that:

destination d_prog { program("/usr/bin/perl /var/tmp/etplc_13jul2016a.pl -f /var/tmp/emergingall_sigs15jul2016a_snort290b.rules.gz -s"); };
log { source(s_src); destination(d_prog); };

- of course check Perl + ETPLC PATH and Syslog-NG source / filter / destinations if needed...

- ETPLC send Alerts to localhost:514/udp by default with "-s" option
(see All options with "-h" on cmd line)

- ETPLC Support Squid / Apache / Nginx / Forefront / BlueCoat / McAfee Web Gateway / IIS logs actually
(depends on Web Proxy Logs fields)


- ok now small test with this example (Apache webserver log here):

/usr/bin/logger '1.1.1.1 - - [26/Nov/2013:22:39:07 +0100] "GET /muieblackcat HTTP/1.1" 404 218'
(data flow: logger send msg to syslog-ng + syslog-ng send msg to ETPLC program, depend on your Syslog-NG configuration of course)

WARNING: /usr/bin/logger send only 1k log size on many linux distributions! (cause ETPLC alert parser error)

- ETPLC localhost alerting on this example:

Jul 12 23:45:13 127.0.0.1 localhost etplc: ok trouvé: timestamp: Jul 12 23:45:13, server_hostname_i : localhost, client_hostname_ip: 1.1.1.1, client_http_method: GET, client_http_uri: /muieblackcat, http_reply_code: 404, etmsg: ET WEB_SERVER Muieblackcat scanner, etmethod: GET, eturishort: /muieblackcat, eturilen: 13

-Because NIDS signature already exist for this:
zgrep "ET WEB_SERVER Muieblackcat scanner" emergingall_sigs15jul2016a_snort290b.rules.gz
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"/muieblackcat"; http_uri; classtype:attempted-recon; sid:2013115; rev:4;)

Feedbacks is welcome.
Thx you #Syslog-NG + InfoSec community + @EmergingThreats team !