Other Log Sources Part 2

00:00

Hello all.

00:02

Let's continue our lesson

00:04

in this video. We'll talk about to log sources first is I PS or IEDs

00:09

and the other log source is Web application Firewall.

00:13

Let's talk about I ps and I ds

00:16

both detect attacks while I ps, which means intrusion prevention system can detect and block the attacks

00:23

Ideas or intrusion detection system. Onley detects the attack.

00:29

Both work in the same way but I ps is between the communication so it can block the attack

00:34

ID Yes, Onley listens to the traffic.

00:37

Since I ds is not between the source and the destination, it cannot block the attack.

00:44

Now

00:45

maybe you're thinking well, why should I use I ds

00:48

I p s can block and I ds cannot block, so it's better to use an I. P s right

00:53

I P s is a component

00:55

in some environments. It's actually not allowed to use I p s because it can delay the communication

01:00

But it's still important for detecting attacks.

01:03

As soon as the ideas that text the attack, it can send the alert to a sock analyst or to a network component,

01:08

so it's better to have at least an ideas than nothing.

01:12

Snort is an open source software that could be used as I P s or I DS.

01:19

Let's analyze some snort logs.

01:21

Some information is easy to identify.

01:23

You can easily identify some attacks, cross site scripting,

01:27

brute force, SQL injection vulnerability and malicious user agents.

01:34

You can also identify some well known fields like date and Time and the source and destination I P. Address.

01:41

There are many other I PS and ID software's.

01:45

Each will have its logs, but with most of them you're given information about the attack and you have the key fields.

01:51

It's important to know that another I PS like log source

01:53

can help you to identify the Web attack.

01:57

As you can see, it can identify which attack it was performed so it could make the life of a stock analyst much easier.

02:06

Next,

02:07

let's talk about the Web application Firewall.

02:10

I P S and I DS analyze all types of traffic and Web application firewalls analyzed the Web application traffic. That's why I PS and I. D. S is more related to the network and Web application. Firewall is more related to Web applications

02:28

like I P s and I D s. A Web application firewall can be deployed in the middle of the communication, and because of that, it has the capability to block the attack. But like I d s, it can also be made to only detect the attacks.

02:39

There is an open source Web application file called Mod Security.

02:45

Let's see the Web application firewall logs.

02:49

It's a big, long right, But don't be scared.

02:52

Spend some time analyzing this log. Look for some known fields or any information that you think is important. If you want pause the video

03:00

later, we'll analyze this log together, But first

03:02

you can see mod security. And it says that there is a warning.

03:07

I hope that you find it in this part of the lock.

03:09

Do you remember this attack?

03:13

Now check the Web application conclusion,

03:15

Web attack slash file injection And, of course, the well known fields like date and time, the client I p. Or the attacker.

03:23

Here's our server I, P address and the Web page. Again, the basic information is all here. Even a conclusion.

03:30

This looks like a file injection attack.

03:34

To make things more clear, let me show you the Web server log of this attack.

03:38

All the fields air Here

03:39

I p address, date and time You are l the requested file theeighties DTP status code and the user agent

03:47

Just looking at the Web application firewall log. You can get the attack or the possible attack almost with the same information. But with the conclusion.

03:57

Let's see one more example.

04:00

Here we have an SQL attack.

04:01

The log is similar. We have date and time, the I P address and so on.

04:08

Here is the related Web server lock.

04:12

We have I P address, date and time and other information

04:16

on the previous slide. We had to get method here we have the post method.

04:21

Remember that we talked about post Method and that the Web server will not log the payload contents.

04:28

That's why we can't see the SQL injection in the Web server log.

04:30

But

04:31

since the Web application file reads the entire packet, it can identify the attacks that use post requests.

04:41

Some considerations about I, PS,

04:43

IEDs and UAF.

04:45

They help to identify attacks and protect against them. Both work with signatures, and usually they already have some built in signatures

04:53

because the Web applications are different.

04:55

You do need to make some adjustments after deployment. Like any other security tool,

05:00

they could be bypassed and they can cause some availability issues because of the false positive.

05:06

We used version four of the I. P. Protocol in this course. And maybe you heard about I p version six.

05:13

This will not change our log analysis because http is a top layer protocol.

05:17

I p is a lower protocol.

05:20

This means that http can use either i p before or I p v six.

05:26

This is also true for TCP.

05:29

The only difference will be in the I P fields.

05:31

Basically, the I P V four address is 32 bits and I p V six is a little bigger 128 bits for its address.

05:40

To make things more clear, here's an example of a log with I p v six.

05:45

See.

05:46

The only difference is the I. P address, so you can analyze I P v four and I p V six servers.

05:54

To finish a post assessment question,

05:57

analyze the log below and identify the key fields and the possible attack.

06:01

The attacks are easy to identify. The first is a cross site scripting attack in the second and SQL injection

06:09

for the fields. We have i p address date and time u r l and so on.

06:15

Now the video summary

06:17

In today's video, we talked about other sources of logs. We now understand two types of attacks S Y n and http Flood.

06:25

We also analyze two types of logs. I ps slash I. D. S and Web applications firewall

06:31

Another conclusion.

06:32

Even if we have different log sources, many of the same components can be found. So as soon as you know how to analyze one type of log, you can analyze other logs to

06:44

Maybe you have some doubts, but that's normal.

06:46

Always try to find the important fields in each log.

06:49

For our next video,