ThreatDetector
Modular Apache Log Threat Detection for Vicidial and Linux Web Servers
ThreatDetector is a modular, extensible, Perl-based threat detection framework for parsing Apache logs. It detects web attacks such as SQL Injection, XSS, Command Injection, Directory Traversal, and more. Designed with call center infrastructures and Vicidial clusters in mind, it supports multi-host scanning via SSH and generates rich summary reports.
Features
- Detects and classifies:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- Login Brute-Force
- Directory Traversal
- Encoded Payloads
- HTTP Method Abuse
- Suspicious Headers
- Bot Fingerprints
- 400–499 Client Errors
- Smart, pluggable classifier
- Per-host threat summary report
- Multi-host support via SSH (partial WIP under
utils) - Optional verbose colorized CLI output
- Designed to work with Vicidial environments out-of-the-box
Requirements
- Perl 5.10 or later
- These CPAN modules:
cpan install JSON File::Slurp Getopt::Long Term::ANSIColor IPC::System::Simple
#!/usr/bin/perl
use strict;
use warnings;
use ThreatDetector;
my $log_file = '/var/log/apache2/access.log';
my $config_file = '/etc/threatdetector/config.json'; # or wherever you placed it
ThreatDetector::analyze_log($log_file, $config_file);
Project Structure
bin/detect.pl– Main scanner CLI
config/config.json– Log file path, output dir, verbosity
data/ip_cache.sqlite– (Optional future use)
lib/ThreatDetector/– Classifier, dispatcher, handlers, reporterlogs/YYYY-MM-DD_threat_results.log– Output reports
t/*.t– Unit tests
utils/add_shebang.pl– Add missing shebangscheck_deps.pl– Verify/install required modulesfind_used_modules.pl– Extract used modules for PREREQ_PMssh_remote_runner.pl– Remote SSH scanner (NOT COMPLETE)
Makefile.PL– CPAN build scriptMANIFEST– Package contentsREADME.md– This file
Usage
perl bin/detect.pl --logfile /var/log/apache2/access.log
Testing
prove -lv t/