Log Sanitization and Analysis Engine written in Perl
Part of the NullSec offensive security toolkit
Discord: discord.gg/killers
Portal: bad-antics.github.io
PerlScrub is a powerful log analysis and sanitization tool that detects sensitive data exposure and attack patterns in log files. Built with Perl's legendary regex capabilities (PCRE), it excels at text processing, pattern matching, and automatic data redaction.
- PCRE Regex: Advanced pattern matching
- Hash Structures: Flexible data organization
- Subroutine Signatures: Modern Perl syntax
- Package System: OOP-style classes
- File Handling: Efficient I/O
- Array/Hash Manipulation: Text processing power
- Regex Operators:
=~,s///,qr//
| Pattern | Risk | CWE | Description |
|---|---|---|---|
| Credit Card | CRITICAL | CWE-312 | Card numbers (Visa/MC/Amex) |
| SSN | CRITICAL | CWE-312 | Social Security Numbers |
| AWS Keys | CRITICAL | CWE-798 | AWS Access Key IDs |
| Private Keys | CRITICAL | CWE-321 | RSA/EC private key headers |
| Passwords | HIGH | CWE-312 | Password assignments |
| API Keys | HIGH | CWE-798 | Generic API key patterns |
| JWT Tokens | HIGH | CWE-798 | JSON Web Tokens |
| Bearer Tokens | HIGH | CWE-798 | OAuth bearer tokens |
| Database URLs | HIGH | CWE-798 | Connection strings |
| Email Addresses | MEDIUM | CWE-359 | PII exposure |
| Phone Numbers | MEDIUM | CWE-359 | Contact information |
| IP Addresses | LOW | CWE-359 | Network identifiers |
| Pattern | Risk | MITRE | Description |
|---|---|---|---|
| SQL Injection | CRITICAL | T1190 | UNION/OR attacks |
| Command Injection | CRITICAL | T1059 | Shell commands |
| XSS | HIGH | T1189 | Script injection |
| Path Traversal | HIGH | T1083 | Directory escape |
| LDAP Injection | HIGH | T1190 | LDAP filter manipulation |
| Log Injection | MEDIUM | T1070 | CRLF injection |
# Clone
git clone https://github.com/bad-antics/nullsec-perlscrub.git
cd nullsec-perlscrub
# Run (requires Perl 5.20+)
perl perlscrub.pl <logfile># Analyze a log file
perl perlscrub.pl /var/log/app.log
# Run demo mode
perl perlscrub.pl --demo
# Redact sensitive data
perl perlscrub.pl -r input.log > sanitized.log
# Detect attacks only
perl perlscrub.pl -a /var/log/apache/access.logUSAGE:
perlscrub [OPTIONS] <LOGFILE>
OPTIONS:
-h, --help Show help
-r, --redact Redact sensitive data
-a, --attacks Detect attack patterns
-o, --output Output file
╔══════════════════════════════════════════════════════════════════╗
║ NullSec PerlScrub - Log Sanitization Engine ║
╚══════════════════════════════════════════════════════════════════╝
[Demo Mode]
Analyzing log entries for sensitive data and attacks...
[CRITICAL] Credit Card (SENSITIVE)
Line: 2
Content: 2024-01-15 10:24:12 DEBUG Payment processed: CC 4111111...
MITRE: T1552
CWE: CWE-312
[CRITICAL] SQL Injection (ATTACK)
Line: 5
Content: 2024-01-15 10:25:15 INFO Request: GET /search?q=' UNION...
MITRE: T1190
CWE: CWE-89
[HIGH] Password Field (SENSITIVE)
Line: 10
Content: 2024-01-15 10:27:00 DEBUG password=SuperSecret123! in config
MITRE: T1552
CWE: CWE-312
═══════════════════════════════════════════
Summary:
Lines Analyzed: 13
Findings: 15
Sensitive Data: 10
Attack Patterns: 5
Critical: 4
High: 7
Medium: 4
Sample Redacted Output:
2024-01-15 10:23:45 INFO User login: [REDACTED:Email Address] from [REDACTED:IPv4 Address]
2024-01-15 10:24:12 DEBUG Payment processed: CC [REDACTED:Credit Card] exp 12/25
my @SENSITIVE_PATTERNS = (
{
name => "Credit Card",
pattern => qr/\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\b/,
risk => "critical",
cwe => "CWE-312",
},
{
name => "SQL Injection",
pattern => qr/(?:union\s+select|'\s*or\s*'|drop\s+table)/i,
risk => "critical",
cwe => "CWE-89",
},
);sub analyze_line($line, $line_num) {
my @findings;
for my $pat (@SENSITIVE_PATTERNS) {
if ($line =~ $pat->{pattern}) {
push @findings, Finding->new(
line_number => $line_num,
content => $line,
pattern => $pat->{name},
risk => $pat->{risk},
);
}
}
return @findings;
}sub redact_line($line) {
my $redacted = $line;
for my $pat (@SENSITIVE_PATTERNS) {
$redacted =~ s/$pat->{pattern}/[REDACTED:$pat->{name}]/g;
}
return $redacted;
}┌────────────────────────────────────────────────────────────────┐
│ PerlScrub Architecture │
├────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Log File │───▶│ Parser │───▶│ Line by │ │
│ │ Input │ │ │ │ Line │ │
│ └─────────────┘ └─────────────┘ └──────┬──────┘ │
│ │ │
│ ┌────────────────┬───────────────────────┘ │
│ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ │
│ │ Sensitive│ │ Attack │ │
│ │ Patterns │ │ Patterns │ │
│ └────┬─────┘ └────┬─────┘ │
│ │ │ │
│ └───────┬───────┘ │
│ ▼ │
│ ┌──────────────────────┐ ┌──────────────────┐ │
│ │ Findings │───▶│ Redact / Report │ │
│ │ Collection │ │ │ │
│ └──────────────────────┘ └──────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
| Requirement | Perl Advantage |
|---|---|
| Text Processing | Native strength |
| Regex Power | PCRE built-in |
| Log Analysis | Designed for it |
| String Manipulation | Unmatched |
| Quick Scripts | Rapid development |
| Unix Integration | Perfect fit |
MIT License - See LICENSE for details.
- nullsec-reporaider - Secret scanner (Clojure)
- nullsec-shelltrace - Shell auditor (Tcl)
- nullsec-luashield - WAF engine (Lua)