dissect.target.plugins.apps.webserver.apache¶
Module Contents¶
Classes¶
Apache log parsing plugin. |
Functions¶
Convert a string containing amount and measurement (e.g. '10000 microsecs') to milliseconds. |
Attributes¶
- class dissect.target.plugins.apps.webserver.apache.LogFormat¶
Bases:
NamedTuple- name: str¶
- pattern: re.Pattern¶
- dissect.target.plugins.apps.webserver.apache.RE_CONFIG_CUSTOM_LOG_DIRECTIVE¶
- dissect.target.plugins.apps.webserver.apache.RE_CONFIG_ERRORLOG_DIRECTIVE¶
- dissect.target.plugins.apps.webserver.apache.RE_REMOTE_PATTERN = Multiline-String¶
Show Value
""" (?P<remote_ip>.*?) # Client IP address of the request. \s (?P<remote_logname>.*?) # Remote logname (from identd, if supplied). \s (?P<remote_user>.*?) # Remote user if the request was authenticated. """
- dissect.target.plugins.apps.webserver.apache.RE_REFERER_USER_AGENT_PATTERN = Multiline-String¶
Show Value
""" "(?P<referer>.*?)" # Value of the 'Referer' HTTP Header. \s "(?P<useragent>.*?)" # Value of the 'User-Agent' HTTP Header. """
- dissect.target.plugins.apps.webserver.apache.RE_RESPONSE_TIME_PATTERN = Multiline-String¶
Show Value
""" ( " Time:\s (?P<response_time>.*?) # Time taken to serve the response, including a unit of measurement. " ) """
- dissect.target.plugins.apps.webserver.apache.RE_ACCESS_COMMON_PATTERN = Multiline-String¶
Show Value
""" \[(?P<ts>[^\]]*)\] # Timestamp including milliseconds. \s (\[(?P<pid>[0-9]+)\]\s)? # The process ID of the child that serviced the request (optional). " (?P<method>.*?) # The HTTP Method used for the request. \s (?P<uri>.*?) # The HTTP URI of the request. \s ?(?P<protocol>HTTP\/.*?)? # The request protocol. " \s (?P<status_code>\d{3}) # The HTTP Status Code of the response. \s (?P<bytes_sent>-|\d+) # Bytes sent, including headers. """
- dissect.target.plugins.apps.webserver.apache.RE_ERROR_COMMON_PATTERN = Multiline-String¶
Show Value
""" \[ (?P<ts>[^\]]*) # Timestamp including milliseconds. \] \s \[ (?P<module>[^:]*) # Name of the module logging the message. \: (?P<level>[^]]*) # Loglevel of the message. \] \s \[ pid\s(?P<pid>\d*) # Process ID of current process. (\:tid\s(?P<tid>\d*))? # Thread ID of current thread (optional). \] \s ((?P<error_source>[^\:]*)\:\s)? # Source file name and line number of the log call (optional). ( \[ client\s(?P<client>[^]]+) # Client IP address and port of the request (optional). \]\s )? ((?P<error_code>\w+)\:\s)? # APR/OS error status code and string (optional). (?P<message>.*) # The actual log message. """
- dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_COMMON¶
- dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_VHOST_COMBINED¶
- dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_COMBINED¶
- dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ERROR_COMMON¶
- dissect.target.plugins.apps.webserver.apache.apache_response_time_to_ms(time_str: str) int¶
Convert a string containing amount and measurement (e.g. ‘10000 microsecs’) to milliseconds.
- class dissect.target.plugins.apps.webserver.apache.ApachePlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugins.apps.webserver.webserver.WebserverPluginApache log parsing plugin.
Apache has three default access log formats, which this plugin can all parse automatically. These are:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common
For the definitions of each format string, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
For Apache, the error logs by default follow the following format:
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
- __namespace__ = 'apache'¶
- DEFAULT_LOG_DIRS = ['/var/log/apache2', '/var/log/apache', '/var/log/httpd', '/var/log',...¶
- ACCESS_LOG_NAMES = ['access.log', 'access_log', 'httpd-access.log']¶
- ERROR_LOG_NAMES = ['error.log']¶
- DEFAULT_CONFIG_PATHS = ['/etc/apache2/apache2.conf', '/usr/local/etc/apache22/httpd.conf',...¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- get_log_paths() tuple[list[pathlib.Path], list[pathlib.Path]]¶
Discover any present Apache log paths on the target system.
References
- access() Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord]¶
Return contents of Apache access log files in unified
WebserverAccessLogRecordformat.
- error() Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverErrorLogRecord]¶
Return contents of Apache error log files in unified
WebserverErrorLogRecordformat.
- static infer_access_log_format(line: str) LogFormat | None¶
Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.
Three default log type examples from Apache (note that the ipv4 could also be ipv6)
Combined:
1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] "GET / HTTP/1.1" 304 247 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
Common:
1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312
vhost_combined:
example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"