Open source web server protection and analysis tool
Version: 0.1Code Blue can help you understand what is really happening on your web server in the context of security. The report helps you identify worms, bad robots (eg spam harvesters), vulnerability scanners and so on.
Operating System: Mac OS X
Unlike programs like analog which provide reporting functionality based on usage patterns, Code Blue takes a different approach by "looking" at web logs from the security perspective.
Web servers are vulnerable and there are many vulnerabilities and threats including worms, buffer overflow requests, SQL injection, bad robots and others.
Code Blue provides detailed analysis of web server logs either statically (saved file) or dynamically (live data) and produces a report containing the possible threats/exploits and the means of the identification of the perpetrator (IP number).
Here are some key features of "Code Blue":
Fully compatible with all major log file formats (eg. IIS, Apache)
Processes all known format including IIS as well as Common Log Format and Combined Log Format (Apache, IPlanet etc.)
Web server vulnerability database
There are a number of tools for identifying possible exploits on the web server (eg. Whisker, Nikto). These exploits range from misconfigured server and/or program settings to vulnerabilities in server side program including Perl/CGI, ASP, JSP etc. Our product has a database of known scanning entries alerting the user of the use of vulnerability tools against the server.
Expert attackers prefer to use custom entries based on various factors including server configuration to pinpoint specific vulnerabilities. An example of such attack is an overflow by which security is compromised by overloading certain parameters in the request. Our program intelligently identifies those entries according to the user settings.
Variety of exploit types
The program identifies malicious entries left by worms such Code Red and Nimbda. Even if the web server is properly patched and/or not affected, it is a sign of an incompetent system administrator and means that the incoming server could be used by an attacker. These also prove to be wasting bandwidth.
Fully customized settings
Settings have constructed to be easy to use with minimal chance misconfiguration. Most program parameters can be altered to accustom the user.
Fully customized report
The reports is currently being generated in HTML format and can potentially be produced in different output formats. Colour settings and specific content filtering can be applied to pinpoint most vital vulnerabilities as required by the user.
Static analysis is performed on the saved log file produced by the web server. Dynamic analysis is done on a live log file and the reports is generated as requests are coming in so that the system administrator has the ability to apply security measures instantly.
Fast and efficient
Various optimization algorithms and data structures have been used to analyze and process data. For example, an Apache log file with 75,000 entries was processed in seven seconds.
The program has the capability to identify the machine’s operating system and the web server running based on the input (eg. www.commbank.com.au)
Intuitive user interface
Fully compatible with all existing operating systems
Written in Java, the program has been successfully tested under Mac OS X, Windows, Linux, and Solaris