Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello, everyone, welcome back to the course. Did Farmer attacked through logs coming over here and in the last feed we talked about cross site scripting request forgery.
00:10
In this view, you see some other sources off logs.
00:13
Let's start with the learning objectives off this video. The video objectives are
00:19
learn about other sauce off logs that can help in identifying the attacks
00:24
and some of the network attacks that can, in fact, the Web application.
00:29
Here we have some examples of other source of flogs
00:33
back its fire OH
00:35
network bandwidth usage,
00:38
CPU in memory usage
00:41
intrusion prevention sees them
00:43
and Web application files.
00:46
I don't remember this picture
00:48
here. We have the polish off it restricted that can support a Web application.
00:54
Remember that all these components can send information.
00:58
Deform off logs are Griff's
01:00
and could help. Did find Attack.
01:04
Let's talk about two attacks
01:07
seeing floor and that you should be followed.
01:11
The first is a network attack. In the second is a Web application attack.
01:15
The both type of fruits tries the same thing.
01:19
Consume all the network or the web. Seven. Resource is if this happened, can cause a day off, Sir Rasi in the Web application.
01:27
The seafood can happen because of through a handshake.
01:32
The dope on it received the scene,
01:34
and you try to complete the true handshake. But it will never happen.
01:38
So the connection is not establish
01:42
all these connections. Tries will be on the server off network equipment memory, more requests, more memory consumed.
01:52
So the components catch floated by the connection price
01:56
for the gypsy food. The tour. A handshake is completed,
02:00
but the Web seven We received a lot of requests.
02:04
The penny on the sides off the servers
02:07
and the number off the requests.
02:09
The replication could be impact.
02:13
That's why it's important to stay in this type of attacks.
02:16
Legend allies. Now some logs
02:20
check his log can identify in key components.
02:24
Is it similar to the Web application logs
02:28
Here we have example. Off a fire or log.
02:30
This is a fire off our lead
02:34
fire. Oh, is our components that handles network connections,
02:38
so the log will be a little different from the Web. Seven.
02:42
Let's analyze together this log first. You have a date in time, followed by a night. P address. In this case is the I. P address off the fire. Oh,
02:53
after you have some numbers and awards recipe, remember that we have your GP and recipe connections in this case is a recipe connection.
03:02
You have another number and when I p address this I p address is from the source computer. In our case, that Tiger
03:12
and the second i p address is the website address.
03:15
The number 80 is http Port
03:19
It could be for for three for https. And you have? Yes,
03:24
This s letter is dated. Fire off the scene Flag from the recipe
03:30
If you check the other lines. This feuds that we talked about will be the same depending on the fire. Oh, in Web server capacity,
03:39
they can handle a lot of connections
03:43
sometimes 1000 off connections on the same second.
03:46
So the banning of the environment
03:49
the factory needs generates
03:51
a lot of connections,
03:53
but they behave will be the same
03:55
uncommon number of connections from the same I p
04:00
on Lee sent this thief leg.
04:02
Can you think in one off the attacks that we saw that a scene which this one
04:08
that the behavior is similar?
04:10
One off the attacks is a brute force attack
04:13
The seafood is like a brute force attack,
04:15
but the rubbish active is make the application unavailable.
04:20
And one more thing. Do you remember our questions? Who walked in When?
04:27
Here. The fuse that can help answering these questions.
04:30
Dating time.
04:31
I'd be addresses
04:33
in the What is the connection?
04:36
Just be in Port 80 with the same flag.
04:40
Now talking about the Web server,
04:43
which logs you'll be shown on the Web server
04:46
in this case we want have in logs from the Web server.
04:51
Remember that Web? Several log. We start after the tissue Pito in shake
04:57
and the same fluid. We're not establish the connection.
05:00
So no, http requests.
05:03
Do you remember that the TCP connection is a job off the personal system
05:10
and normally the operational season
05:12
have a common to check the connections.
05:15
The school motto is that's that Italy show the stars off the connections. If you check the result off next that common during and seafood attack, will you see a lot off scene requests? Italy will say that it received the scene
05:32
like in this picture,
05:34
you can see in this picture that we have the website might be and the teaching people to 80
05:42
and I know they be with a lot of different parts.
05:46
This means that the oppression of season is waiting to the other side. Complete the connection.
05:53
Now, you see, http, flowed in compared with the seafood attack
05:58
again, we have to fire logs.
06:00
We have the same components
06:03
dating time, fire. I'd be sore sight be sever. I'd be.
06:10
They bought 80.
06:11
We also have the letter s. But in this case, we have a Jefferies.
06:16
We have a nest egg
06:18
with on O. K.
06:20
This means that the recipient to in the shake
06:25
was completed.
06:26
So since we have the connection, let's check the web. Several logs.
06:30
Now, check this Web server logs.
06:33
Tried to file a malicious behavior.
06:36
If you want to pause the video for a while, is okay.
06:41
Let's analyze the web server logs together.
06:44
We have to observe I'd be
06:46
dating time
06:48
Http. My thought they requested file
06:53
http. Version started scold size and they use their agent.
06:58
So the website along is okay.
07:00
The point here is a number of requests and many errors.
07:05
If you check the requested fires, it doesn't make sense
07:10
a lot off number that result in a never the TTP started schooled 400 means bad request.
07:18
Why would someone saying a lot of errors?
07:23
Usually users get upset with the errors.
07:28
Here we have the same source, a lot off errors and as well, period of time
07:33
in some random requested fires.
07:38
In this case we have. The TTP flowed
07:41
is again, depending on the size off the Web. Seven. That tracker. We need a lot of requests to get the Web server in the Web application down
07:50
in this example. We have the Aero before hundreds,
07:55
but it'd be flowed. Can result in another starts cold like 500 or 200. It we only depends on the requests.
08:05
Basically, the most important is the number off the requests. If you notice that there is a high number of requests, Morton Normal. Maybe you have the food.
08:16
What do you think that we happen if we use the nets that comment during they should be flute.
08:22
Here is the result.
08:24
We should have a lot off lines, but now we have the world's established.
08:30
That means that the recipe connection Waas established,
08:33
that's why we have the Web server logs
08:37
on previous is like we said that they threw the tax tragic, consume all the resource off the machine.
08:43
Here you can see DeSipio users from the fire. Oh,
08:48
you can see on both grafts that disappear uses percent, raise it a lot
08:54
and really fast.
08:56
In the first graph, we have two moments off high disappear uses.
09:00
In the second graph. We have the same two periods off high CPU, but we can see are not increase in disappear usage
09:09
during the period off the high CPU usage. Since the Web seven is after the fire of the Web application was down.
09:16
This means that the denial of service attack, what's the *** food?
09:22
We can see the same behavior on the network bandwidth graph.
09:26
It goes from killer beats two megabits. Let's see some directions to identify. They threw that ax.
09:35
Seven requests many requests from same source in I spun period of time.
09:41
A first increase off CPU or bend with users.
09:46
Many seem requests without establishing that you re in the shake.
09:50
Uncle Mum, I'll run the requests on the Web server logs
09:54
are your replication is low. We stop it to work.
09:58
Hey, don't forget to check the user agent,
10:03
Since you need to say a lot of corrected http packets,
10:07
It's very to use Otto.
10:09
Also remember that the attacker can change the user agents.
10:13
There's a lesson called Genius on the Nets video.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor