jensvoid / lorg Goto Github PK

include some sample files/urls for testing.

While trying to perform the analysis, I got the fatal error message:

Fatal error: Call to undefined function pcntl_signal() in lorg on line 946

Command used:
lorg -d phpids -u -i combined -g access-2013-08-20.log

Thanks

I had this error running lorg (LORG v0.41 | Sat Jun 15 20:20:22 CEST 2013):

./lorg -d phpids -u -g ~/ssl_access.log

[>] Creating summary for 'ssl_access.log'

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 76 bytes) in /usr/home/emi/lorg/lorg on line 1417

There is a lot of calls to http://simile.mit.edu in the code and that site is down

It would be nice if there were NO external calls so one could host it without other accesses to the internet then DNS.

I am still working on figuring out if i can change the code my self to avoid the errors :)

Regards Keld Norman

I really like the idea and some of the features it has to offer. Thrilled to get this up and running, I quickly found myself disappointed due to the lack of proper documentation.

I installed this on SIFT, which is Ubuntu based. I had to install php5, php-cli and some other packages to get the tool to display it's help menu.

I am trying to scan the apache logs but it errors out:

PHP Fatal error: Class 'IDS_Monitor' not found in /home/sansforensics/Desktop/lorg-master/lorg on line 2037

I read the instructions but I am not sure if I followed them properly. It said in step 1 to get "PHPIDS from http://phpids.org, gunzip and untar, then mone IDS/ info the following directory..."

First of all, that link to PHPIDS is broken. Second, there are already some files in the './phpids/' directory. I am assuming PHPIDS came installed.

Finally, I tried to download and install PHPIDS but found out that the naming convention used in the instructions does not match the downloaded package. The instructions direct the user to copy 'IDS/' into the './phpids/' directory. But the downloaded package for PHPIDS does not have a 'IDS/' directory.

Can someone please help me get this project running?

Thank you

Hallo,

i'm testing lorg on ubuntu 16.04 (php5.6 and php7 both installed and tested).
So far the most things are working. Thank you:):)

.. but one problem with -o json everything seems to be processed ...
....
[>] Processing 210679 lines of input file 'test_access.l[>] Processing 210679 lines of input file 'test_access.l[>] Processing 210679 lines of input file 'test_access.log' [100%]
[>] Creating summary for 'test_access.log'

Found 496 incidents (2545 tags) from 9 clients
| sqli:         248 | id:           496 | lfi:          483 | 
| xss:          433 | csrf:         404 | rfe:          298 | 
| dt:           182 | dos:            1 | 

[>] Check out 'report_09-May-2017-131513.json' for a complete report

but json file seems to be empty:
more 09-May-2017-131513.json only shows
{ items: [
] }

Any idea?

Regards,
Walter

I am getting a lot of these when i run Lorg

netstat -an
tcp 0 0 10.0.200.21:50796 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:15131 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:61494 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:33973 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:53600 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:56394 149.210.220.191:53 TIME_WAIT

It looks like related to a site that is not there anymore: "ns1.darkness-reigns.net"

Do you have any idea of where Lorg gets that dns server from ? or if it is related to running LORG ?

I want to run this tool.
I have create a clone and also create log file in the same lorg directory
./lorg -d phpids -u -g /path/to/access_log
{AttackerIP} - GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Connection: keep-alive Host: {Our IP} User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
this is one log sample I have made from my data.
Kindly help mw out.

Hi @jensvoid,
I have an Access Log with this fields:
date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes.
I insert an allowed input format in the lorg file:
`'namext' => '%{%Y-%m-%d %H:%M:%S}t %h %<u %A %v %m %U "%r" %>s %O %I %O %T "%{User-agent}i" "%{Cookie}i" "%{Referer}i" "%a" "%{x-forward-for}i" "%{BALANCER_WORKER_IP}e" %I'
When I create the HTML output file, I notice that the time is assigned to the client ip. So %{%Y-%m-%d %H:%M:%S}t is considered like an only field and it doesn't separate the 'date' and the 'time' fields.
How can I do?
Thanks!
Valentina

`

Is any of the data being used for log-forensics outdated here?

I am testing a log-file from a common CMS using the -d phpids option and it doesn't output much. Further inspection of the ./phpids folder shows that it was last updated 4 years ago.

On a installation on Ubuntu 16.04. I got tons of this error.
"[!] PHPIDS error occured: SimpleXML not loaded."
The report is empty.