About
We feel that Code Blue can be useful for monitoring web server activity. Unlike programs like analog which provide reporting functionality based on usage patterns, Code Blue takes a different approach by "looking" at web logs from the security perspective. Web servers are vulnerable and there are many threats and vulnerabilities including worms, SQL injection, buffer overflow requests, bad robots and others. The program provides detailed analysis of web server logs either statically (saved file) or dynamically (live data) and produces a report containing the possible threats/exploits and the means of the identification of the perpetrator (IP number).
Status
The program is currently in beta status.
Usage
Both source code and binaries are available for download.
To run the program, unzip the source code and compile it using javac *.java Then, run the java CodeBlueApp command to lauch the program.
Future
There is a number of features we'd like to implement including internationalization, proactive IP blocking, enhanced reporting/customization, support for other log formats and others.
The future of Code Blue ultimately depends on the feedback we get. Any suggestions, bug reports, feature requests and so on are more than welcome. Feel free to write to us at any time. Also, if you want to participate in the project.
Acknowledgements
We'd like to thank Damian Kelly for inspiration and support.
Features
- Fully compatible with all major log file formats (eg. IIS, Apache)
Processes all known format including IIS as well as Common Log Format and Combined Log Format (Apache, IPlanet etc.) - Web server vulnerability database
There are a number of tools for identifying possible exploits on the web server (eg. Whisker, Nikto). These exploits range from misconfigured server and/or program settings to vulnerabilities in server side program including Perl/CGI, ASP, JSP etc. Our product has a database of known scanning entries alerting the user of the use of vulnerability tools against the server. - Manual scan
Expert attackers prefer to use custom entries based on various factors including server configuration to pinpoint specific vulnerabilities. An example of such attack is an overflow by which security is compromised by overloading certain parameters in the request. Our program intelligently identifies those entries according to the user settings. - Variety of exploit types
The program identifies malicious entries left by worms such Code Red and Nimbda. Even if the web server is properly patched and/or not affected, it is a sign of an incompetent system administrator and means that the incoming server could be used by an attacker. These also prove to be wasting bandwidth. - Fully customized settings
Settings have constructed to be easy to use with minimal chance misconfiguration. Most program parameters can be altered to accustom the user. - Fully customized report
The reports is currently being generated in HTML format and can potentially be produced in different output formats. Colour settings and specific content filtering can be applied to pinpoint most vital vulnerabilities as required by the user. - Dynamic/static analysis
Static analysis is performed on the saved log file produced by the web server. Dynamic analysis is done on a live log file and the reports is generated as requests are coming in so that the system administrator has the ability to apply security measures instantly. - Fast and efficient
Various optimization algorithms and data structures have been used to analyze and process data. For example, an Apache log file with 75,000 entries was processed in seven seconds. - Host identification
The program has the capability to identify the machine’s operating system and the web server running based on the input (eg. www.commbank.com.au) - Intuitive user interface
- Fully compatible with all existing operating systems
Written in Java, the program has been successfully tested under Windows, Linux, Solaris and Mac OS X