Other Log Sources Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Hello all.
00:02
Let's continue our lesson
00:04
in this video. We'll talk about to log sources first is I PS or IEDs
00:09
and the other log source is Web application Firewall.
00:13
Let's talk about I ps and I ds
00:16
both detect attacks while I ps, which means intrusion prevention system can detect and block the attacks
00:23
Ideas or intrusion detection system. Onley detects the attack.
00:29
Both work in the same way but I ps is between the communication so it can block the attack
00:34
ID Yes, Onley listens to the traffic.
00:37
Since I ds is not between the source and the destination, it cannot block the attack.
00:44
Now
00:45
maybe you're thinking well, why should I use I ds
00:48
I p s can block and I ds cannot block, so it's better to use an I. P s right
00:53
I P s is a component
00:55
in some environments. It's actually not allowed to use I p s because it can delay the communication
01:00
But it's still important for detecting attacks.
01:03
As soon as the ideas that text the attack, it can send the alert to a sock analyst or to a network component,
01:08
so it's better to have at least an ideas than nothing.
01:12
Snort is an open source software that could be used as I P s or I DS.
01:19
Let's analyze some snort logs.
01:21
Some information is easy to identify.
01:23
You can easily identify some attacks, cross site scripting,
01:27
brute force, SQL injection vulnerability and malicious user agents.
01:34
You can also identify some well known fields like date and Time and the source and destination I P. Address.
01:41
There are many other I PS and ID software's.
01:45
Each will have its logs, but with most of them you're given information about the attack and you have the key fields.
01:51
It's important to know that another I PS like log source
01:53
can help you to identify the Web attack.
01:57
As you can see, it can identify which attack it was performed so it could make the life of a stock analyst much easier.
02:06
Next,
02:07
let's talk about the Web application Firewall.
02:10
I P S and I DS analyze all types of traffic and Web application firewalls analyzed the Web application traffic. That's why I PS and I. D. S is more related to the network and Web application. Firewall is more related to Web applications
02:28
like I P s and I D s. A Web application firewall can be deployed in the middle of the communication, and because of that, it has the capability to block the attack. But like I d s, it can also be made to only detect the attacks.
02:39
There is an open source Web application file called Mod Security.
02:45
Let's see the Web application firewall logs.
02:49
It's a big, long right, But don't be scared.
02:52
Spend some time analyzing this log. Look for some known fields or any information that you think is important. If you want pause the video
03:00
later, we'll analyze this log together, But first
03:02
you can see mod security. And it says that there is a warning.
03:07
I hope that you find it in this part of the lock.
03:09
Do you remember this attack?
03:13
Now check the Web application conclusion,
03:15
Web attack slash file injection And, of course, the well known fields like date and time, the client I p. Or the attacker.
03:23
Here's our server I, P address and the Web page. Again, the basic information is all here. Even a conclusion.
03:30
This looks like a file injection attack.
03:34
To make things more clear, let me show you the Web server log of this attack.
03:38
All the fields air Here
03:39
I p address, date and time You are l the requested file theeighties DTP status code and the user agent
03:47
Just looking at the Web application firewall log. You can get the attack or the possible attack almost with the same information. But with the conclusion.
03:57
Let's see one more example.
04:00
Here we have an SQL attack.
04:01
The log is similar. We have date and time, the I P address and so on.
04:08
Here is the related Web server lock.
04:12
We have I P address, date and time and other information
04:16
on the previous slide. We had to get method here we have the post method.
04:21
Remember that we talked about post Method and that the Web server will not log the payload contents.
04:28
That's why we can't see the SQL injection in the Web server log.
04:30
But
04:31
since the Web application file reads the entire packet, it can identify the attacks that use post requests.
04:41
Some considerations about I, PS,
04:43
IEDs and UAF.
04:45
They help to identify attacks and protect against them. Both work with signatures, and usually they already have some built in signatures
04:53
because the Web applications are different.
04:55
You do need to make some adjustments after deployment. Like any other security tool,
05:00
they could be bypassed and they can cause some availability issues because of the false positive.
05:06
We used version four of the I. P. Protocol in this course. And maybe you heard about I p version six.
05:13
This will not change our log analysis because http is a top layer protocol.
05:17
I p is a lower protocol.
05:20
This means that http can use either i p before or I p v six.
05:26
This is also true for TCP.
05:29
The only difference will be in the I P fields.
05:31
Basically, the I P V four address is 32 bits and I p V six is a little bigger 128 bits for its address.
05:40
To make things more clear, here's an example of a log with I p v six.
05:45
See.
05:46
The only difference is the I. P address, so you can analyze I P v four and I p V six servers.
05:54
To finish a post assessment question,
05:57
analyze the log below and identify the key fields and the possible attack.
06:01
The attacks are easy to identify. The first is a cross site scripting attack in the second and SQL injection
06:09
for the fields. We have i p address date and time u r l and so on.
06:15
Now the video summary
06:17
In today's video, we talked about other sources of logs. We now understand two types of attacks S Y n and http Flood.
06:25
We also analyze two types of logs. I ps slash I. D. S and Web applications firewall
06:31
Another conclusion.
06:32
Even if we have different log sources, many of the same components can be found. So as soon as you know how to analyze one type of log, you can analyze other logs to
06:44
Maybe you have some doubts, but that's normal.
06:46
Always try to find the important fields in each log.
06:49
For our next video,
06:51
we will have our course summary.
Up Next
Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By