Let's continue our lesson
in this video. We'll talk about to log sources first is I PS or IEDs
and the other log source is Web application Firewall.
Let's talk about I ps and I ds
both detect attacks while I ps, which means intrusion prevention system can detect and block the attacks
Ideas or intrusion detection system. Onley detects the attack.
Both work in the same way but I ps is between the communication so it can block the attack
ID Yes, Onley listens to the traffic.
Since I ds is not between the source and the destination, it cannot block the attack.
maybe you're thinking well, why should I use I ds
I p s can block and I ds cannot block, so it's better to use an I. P s right
I P s is a component
in some environments. It's actually not allowed to use I p s because it can delay the communication
But it's still important for detecting attacks.
As soon as the ideas that text the attack, it can send the alert to a sock analyst or to a network component,
so it's better to have at least an ideas than nothing.
Snort is an open source software that could be used as I P s or I DS.
Let's analyze some snort logs.
Some information is easy to identify.
You can easily identify some attacks, cross site scripting,
brute force, SQL injection vulnerability and malicious user agents.
You can also identify some well known fields like date and Time and the source and destination I P. Address.
There are many other I PS and ID software's.
Each will have its logs, but with most of them you're given information about the attack and you have the key fields.
It's important to know that another I PS like log source
can help you to identify the Web attack.
As you can see, it can identify which attack it was performed so it could make the life of a stock analyst much easier.
let's talk about the Web application Firewall.
I P S and I DS analyze all types of traffic and Web application firewalls analyzed the Web application traffic. That's why I PS and I. D. S is more related to the network and Web application. Firewall is more related to Web applications
like I P s and I D s. A Web application firewall can be deployed in the middle of the communication, and because of that, it has the capability to block the attack. But like I d s, it can also be made to only detect the attacks.
There is an open source Web application file called Mod Security.
Let's see the Web application firewall logs.
It's a big, long right, But don't be scared.
Spend some time analyzing this log. Look for some known fields or any information that you think is important. If you want pause the video
later, we'll analyze this log together, But first
you can see mod security. And it says that there is a warning.
I hope that you find it in this part of the lock.
Do you remember this attack?
Now check the Web application conclusion,
Web attack slash file injection And, of course, the well known fields like date and time, the client I p. Or the attacker.
Here's our server I, P address and the Web page. Again, the basic information is all here. Even a conclusion.
This looks like a file injection attack.
To make things more clear, let me show you the Web server log of this attack.
All the fields air Here
I p address, date and time You are l the requested file theeighties DTP status code and the user agent
Just looking at the Web application firewall log. You can get the attack or the possible attack almost with the same information. But with the conclusion.
Let's see one more example.
Here we have an SQL attack.
The log is similar. We have date and time, the I P address and so on.
Here is the related Web server lock.
We have I P address, date and time and other information
on the previous slide. We had to get method here we have the post method.
Remember that we talked about post Method and that the Web server will not log the payload contents.
That's why we can't see the SQL injection in the Web server log.
since the Web application file reads the entire packet, it can identify the attacks that use post requests.
Some considerations about I, PS,
They help to identify attacks and protect against them. Both work with signatures, and usually they already have some built in signatures
because the Web applications are different.
You do need to make some adjustments after deployment. Like any other security tool,
they could be bypassed and they can cause some availability issues because of the false positive.
We used version four of the I. P. Protocol in this course. And maybe you heard about I p version six.
This will not change our log analysis because http is a top layer protocol.
I p is a lower protocol.
This means that http can use either i p before or I p v six.
This is also true for TCP.
The only difference will be in the I P fields.
Basically, the I P V four address is 32 bits and I p V six is a little bigger 128 bits for its address.
To make things more clear, here's an example of a log with I p v six.
The only difference is the I. P address, so you can analyze I P v four and I p V six servers.
To finish a post assessment question,
analyze the log below and identify the key fields and the possible attack.
The attacks are easy to identify. The first is a cross site scripting attack in the second and SQL injection
for the fields. We have i p address date and time u r l and so on.
Now the video summary
In today's video, we talked about other sources of logs. We now understand two types of attacks S Y n and http Flood.
We also analyze two types of logs. I ps slash I. D. S and Web applications firewall
Even if we have different log sources, many of the same components can be found. So as soon as you know how to analyze one type of log, you can analyze other logs to
Maybe you have some doubts, but that's normal.
Always try to find the important fields in each log.
we will have our course summary.