How to install and run Apache Real Time Logs Analyzer System (ARTLAS)

What is ARTLAS

ARTLAS is a Real time Apache log analyzer, based on top 10 OWASP vulnerabilities, identifies attempts of exploration in your web application, and notify you or your incident team on Telegram, Zabbix and Syslog/SIEM.

ARTLAS uses the regular expression from the PHP-IDS project, to identify the attempts of exploration.

Supported Output

  • Zabbix Version 2.4 and 3.0
  • SySlog
  • SIEM
  • Telegram

Supported web servers

  • Apache
  • Apache vHost
  • Nginx
  • Nginx vHost

ARTLAS options

All your configurations will be made in etc/artlas.conf file.

TELEGRAM INTEGRATION

[Telegram]

api = Your Token API

group_id = Group/User ID that will receive the notifications

enable = True to send notificantions or False to not send.

ZABBIX CONFIGURATION

[Zabbix]

server_name = hostname of the server in zabbix

agentd_config = Zabbix agent configuration file

enable_advantage_keys = True or False to use advanced triggers

notifications = true to enable or false to disable triggers notifications

enable = true to enable or false to disable

SYSLOG/SIEM CONFIGURATION

[CEF_Syslog]

server_name = IP or Hostname SySlog/SIEM server

enable = True or False to enable

GENERAL CONFIGURATION

[General]

apache_log = Full path apache access.log

apache_mask = Mask to identify the fields in the apache access log

vhost_enable = True to enable or False to disable vhosts

rules = etc/default_filter.json It's the file that contains the OWASP filter [Do not Change]

ARTLAS installation

How to install ARTLAS on Kali Linux

git clone https://github.com/mthbernardes/ARTLAS
cd ARTLAS/
sudo pip2 install -r requirements.txt

You must edit the artlas.py file. To do this, open it:

gedit artlas.py

Find the string there

http://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.json

and replace it with:

https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.json

save and close the file.

How to install ARTLAS on Kali Linux BlackArch

The program is preinstalled in BlackArch.

sudo pacman -S artlas

You must edit the artlas.py file. To do this, open it:

sudo gedit /usr/share/artlas/artlas.py

Find the string there

http://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.json

and replace it with:

https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.json

save and close the file.

The configuration file is located on the path /usr/share/artlas/etc/artlas.conf.

The default web server access log file in Arch Linux and BlackArch is located at /var/log/httpd/access_log (edit to the correct value in the configuration file)

The program is launched as follows:

sudo artlas

ARTLAS launch examples

Python2 and superuser privileges are required to run:

sudo python2 artlas.py

Example output when the program starts successfully:

[*] Getting config...
[+] Done!
 
[+] Syslog Enabled
 
[*] Getting rules...
[+] Done!
 
[*] A.R.T.L.A.S Started!

Start the web server (if it is not already running):

sudo systemctl start apache2.service

and try in a web browser to open URL addresses of the form:

An example of output when detecting attacks, scans, penetration of a web server and post-exploitation of vulnerable websites:

[+] - Intrusion Attempt - [+]
    Date: Aug 19 2019 14:09:16
    Vhost: None
    IP: ::1
    Path: /?mial=/etc/passwd
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Browser: Firefox 60
    S.O: Linux
    Description: Detects specific directory and path traversal
    Impact: 5
    Category: dt,id,lfi
[+] - Intrusion Attempt - [+]
    Date: Aug 19 2019 14:09:25
    Vhost: None
    IP: ::1
    Path: /?hackware=../../../../
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Browser: Firefox 60
    S.O: Linux
    Description: Detects basic directory traversal
    Impact: 5
    Category: dt,id,lfi
[+] - Intrusion Attempt - [+]
    Date: Aug 19 2019 14:09:33
    Vhost: None
    IP: ::1
    Path: /?miloserdov.org=\\u0000
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Browser: Firefox 60
    S.O: Linux
    Description: Detects the IE octal, hex and unicode entities
    Impact: 2
    Category: xss,csrf
[+] - Intrusion Attempt - [+]
    Date: Aug 19 2019 14:09:40
    Vhost: None
    IP: ::1
    Path: /?hackware.ru=(union(.*)select(.*)from)
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Browser: Firefox 60
    S.O: Linux
    Description: Detects JavaScript location/document property access and window access obfuscation
    Impact: 5
    Category: xss,csrf
[+] - Intrusion Attempt - [+]
    Date: Aug 19 2019 14:09:51
    Vhost: None
    IP: ::1
    Path: /?mial=%SYSTEMROOT%
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Browser: Firefox 60
    S.O: Linux
    Description: An attacker is trying to locate a file to read or write.
    Impact: 4
    Category: files,id

Troubleshooting

ValueError: No JSON object could be decoded

ARTLAS uses the default_filter.json file with regular expressions from the PHP-IDS project to work. A link to this file is hard coded in the program source and it downloads it at the first start. Unfortunately, the link is currently incorrect (the site has changed) and the program instead of the correct file downloads another page.

Therefore, when starting, the following error is displayed:

Traceback (most recent call last):
  File "artlas.py", line 186, in <module>
    artlas = ARTLAS('/usr/share/artlas/etc/artlas.conf')
  File "artlas.py", line 43, in __init__
    self.rules = json.loads(open(self.conf['rules']).read())
  File "/usr/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

You must edit the artlas.py file. To do this, open it:

gedit artlas.py

Find the string there

http://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.json

and replace it with:

https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.json

save and close the file.

This invalid file has already been downloaded, it must be deleted. It is located in the program folder along the path etc/default_filter.json.

To delete this file in Arch Linux/BlackArch, run:

sudo rm /usr/share/artlas/etc/default_filter.json

IOError: [Errno 13] Permission denied: 'etc/default_filter.json'

At startup, you may encounter an error:

[*] Getting rules...
Traceback (most recent call last):
  File "artlas.py", line 186, in <module>
    artlas = ARTLAS('/usr/share/artlas/etc/artlas.conf')
  File "artlas.py", line 40, in __init__
    self.get_file_rules()
  File "artlas.py", line 82, in get_file_rules
    with open('etc/default_filter.json','w') as file_rules:
IOError: [Errno 13] Permission denied: 'etc/default_filter.json'

It means that when the program does not have enough permissions to save the default_filter.json file. Run it with sudo:

sudo artlas

requests.exceptions.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)

In Kali Linux, the following error occurs at startup:

Traceback (most recent call last):
  File "artlas.py", line 186, in <module>
    artlas = ARTLAS('etc/artlas.conf')
  File "artlas.py", line 40, in __init__
    self.get_file_rules()
  File "artlas.py", line 81, in get_file_rules
    r = requests.get('http://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.json')
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 71, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 57, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 606, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 179, in resolve_redirects
    **adapter_kwargs
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)

You must edit the artlas.py file. To do this, open it:

gedit artlas.py

Find the string there

http://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.json

and replace it with:

https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.json

save and close the file.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.