Here it is:
#!/usr/bin/perl
# ids_log_check.pl - process Apache access log files and check for possible
# attacks via CGI::IDS
# usage: ids_log_check.pl path_to_the_log_file
# dprelec, 2009-01-14
use strict;
use warnings;
use CGI;
use CGI::IDS;
# minimal impact to report for
my $MIN_IMP = 20;
# skip these requests
my $RE_IGNORE = qr/GET(?:.*)\.(?:gif|css|png|jpeg|jpg|pdf|html|js|xml)\s/;
my $ids = CGI::IDS->new();
$ids->set_scan_keys(scan_keys => 1);
my $log = shift or die "Specify input log file.\n";
open $fh, "<", $log or die "Cannot open $log: $!";
while (<$fh>) {
next if /$RE_IGNORE/;
if (/GET\s+(?:[^ ]+)\?([^ ]+)/) {
my %params = CGI->new($1)->Vars;
my $imp = $ids->detect_attacks(request => \%params);
if ($imp > $MIN_IMP) {
print $_ . "\nParams: $1\nImpact: $imp\n\n";
}
}
}
close $fh;
Update: Thanks to all for the answers. It's syntax highlighter that modifies the source code. I'll probably change it. I also ran my code through Perl::Critic, and changed the source code above according to it's suggestions and your comments.
