dissect.target.plugins.apps.webservers.apache

Module Contents

Classes

LogFormat	Generic enumeration.
ApachePlugin	Apache log parsing plugin.

Functions

infer_log_format

Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.

Attributes

COMMON_REGEX
REFERER_USER_AGENT_REGEX

dissect.target.plugins.apps.webservers.apache.COMMON_REGEX = '(?P<remote_ip>.*?) (?P<remote_logname>.*?) (?P<remote_user>.*?) \\[(?P<ts>.*)\\] "(?P<method>.*?)...'

dissect.target.plugins.apps.webservers.apache.REFERER_USER_AGENT_REGEX = '"(?P<referer>.*?)" "(?P<useragent>.*?)"'

class dissect.target.plugins.apps.webservers.apache.LogFormat

Bases: enum.Enum

Generic enumeration.

Derive from this class to define new enumerations.

VHOST_COMBINED

COMBINED

COMMON

dissect.target.plugins.apps.webservers.apache.infer_log_format(line: str) → LogFormat | None

Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.

Three default log type examples from Apache (note that the ipv4 could also be ipv6)::

combined = ‘1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] “GET / HTTP/1.1” 304 247 “-” “Mozilla/5.0

(Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36”’

common = ‘1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] “GET / HTTP/1.1” 200 312’ vhost_combined = ‘example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] “GET / HTTP/1.1” 200 312 “-”

“Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36”’

class dissect.target.plugins.apps.webservers.apache.ApachePlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Apache log parsing plugin.

Apache has three default log formats, which this plugin can all parse automatically. These are::

LogFormat “%v:%p %h %l %u %t “%r” %>s %O “%{Referer}i” “%{User-Agent}i”” vhost_combined LogFormat “%h %l %u %t “%r” %>s %O “%{Referer}i” “%{User-Agent}i”” combined LogFormat “%h %l %u %t “%r” %>s %O” common

For the definitions of each format string, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

__namespace__ = 'apache'

check_compatible() → bool

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_paths() → list[pathlib.Path]

Discover any present Apache log paths on the target system.

References

• https://www.cyberciti.biz/faq/apache-logs/

• https://unix.stackexchange.com/a/269090

access() → Iterator[dissect.target.plugins.apps.webservers.webservers.WebserverAccessLogRecord]

Return contents of Apache access log files in unified WebserverAccessLogRecord format.