Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello and let's continue in this lesson in this video, we'll talk about to log sources.
00:06
The first is I PS or ideas.
00:10
The other log source is the Web application fire. Oh,
00:14
let's talk about I ps and ideas
00:18
both detects attacks
00:21
while i ps, which means intrusion prevent system.
00:26
Okay, that that in block that takes
00:29
the ideas are intrusion detection system
00:33
only detect that take
00:35
both work in the same way But the I P. S is between the communication so it can block the attack
00:43
and ideas. Unless in the draft
00:46
sees ideas is not between this source in destination it cannot block the tech. Maybe you're thinking why should I use on ideas?
00:56
I'd be asking Bloke in ideas cannot block, so it's better to use an I. P. S
01:03
I. P s is a component in some environments is not allowed to put an I p. S because it can delay the communication, But it is important to detect the attacks.
01:15
And so as the ideas detects the attack, it can say the alert just off analysts Archer, not network opponents.
01:25
So it's better to have actual east on ideas then offering
01:30
is not is open source software that can be used as I PS or ideas.
01:36
Let's analyze some snort logs.
01:38
Some information is easy to identify.
01:42
You can easily identify some attacks
01:46
cross site scripting, brute force, SQL injection
01:51
vulnerability
01:52
and malicious user agent.
01:55
You cannot identify some well, no feuds
01:59
like dating time
02:00
and the source. In addition, a sh i p address.
02:05
There are many others. I ps in ideas Softwares.
02:08
Each will have its logs,
02:12
but most off them. You're given for Misha about the attack and have the key feuds.
02:17
So it's important to know that another log source like I PS source can help you. They try the Web attack,
02:25
and, as you can see, it's gained in fi, which attack what's performance
02:30
so it can make the life off a stock analyst much easier.
02:35
Next, let's talk about Web application. Firearm.
02:38
I PS. In ideas, analyze all type of traffic
02:43
and Web application. Firoz on the lies.
02:46
They will have application drift.
02:49
That's why I PS in 90 s is more related to network and Web application. Fire is more related to have applications
02:57
like i PS and ideas where publication fire could be the broads the meat off the communication
03:04
and because of it can block the attacks or like ideas on Lee attacking that. That's
03:10
and there is open source Web application fire called more security.
03:16
Let's see the Web application. Fire logs.
03:21
It is a big log, right? But don't be scary.
03:24
He spent some time analyzing this log.
03:28
Look, for some no feuds are information that I think that is important.
03:34
If you want positive. You know
03:36
later, we won that last together. This look
03:39
first you can see the more security, and it's a There is a warning.
03:45
I hope that you find it.
03:47
This part's off the log.
03:50
Do you remember this attack?
03:51
Now check the web application conclusion.
03:54
Web attack, Funny injection. And of course, there. Well, no feuds like there in time.
04:02
And the client I p r the taker
04:06
in here I will sever I p address.
04:10
And there were page again. The best information is here.
04:15
Even a conclusion.
04:16
This looks like I'm finally shot Shot tech
04:19
To make things clear, Let's show the web several Log off this attack
04:26
All the feuds are here.
04:28
I p address
04:30
there in time.
04:31
You are the requested file
04:34
Ligety, P starts cold and the user agent just looking to the Web application fire. Oh, log. You can get the attack. Are the pasta water
04:46
almost with this information, but with a conclusion?
04:50
Let's see one more example
04:53
Here we have asked you Take
04:56
the log is similar.
04:58
We have dating time, they P address and so on.
05:01
In here, they're related. Web seven. Log.
05:04
We have to I p address there in time and that information
05:11
when the previous is like we have to get my foot.
05:15
And here we have the both method.
05:17
Remember that we talked about post methods
05:20
that the Web seven will not log. The payload could taint.
05:25
That's why we cannot see the SQL injection in the Web. Several log. But since the Web application Faro reads the entire package, it can identify the attacks that use post requests.
05:39
Now, some considerations about I PS ideas in wife.
05:44
They have to defy attacks in protect against them.
05:47
Both worked with signatures, and usually they have already some beauty and signatures.
05:54
And because the Web applications are different, you need some adjustments after the deployment, like any other security to they could be bypassed
06:04
and they can call some availability issues because of the first positive.
06:11
We use it during this car's direction for off the I. P Protocol.
06:15
It maybe you heard about, I'd be version six.
06:19
This will not change our Logan houses
06:23
because http is a top layer protocol.
06:27
So I'd be is a lawyer protocol.
06:30
This means that http can use both.
06:32
I'd be before our 86.
06:35
This is also true to TCP.
06:39
The only difference will be on the I P feuds.
06:42
Basically, the baby before others is 32 beats and the baby six is a little bigger. 128 beats for its mattress.
06:51
To make things clear here the example off a lot with my previous six.
06:58
See, the only difference is I p address.
07:00
So you get on allies I'd be before in a baby six service
07:05
to finish A poster says my question
07:09
when I was a love below it identify the key feuds and the possible attack.
07:14
Their tags are easy to identify.
07:16
The first is a cross site scripting and the second is our escape rejection
07:23
And for the feuds we have i p address
07:26
that in time
07:28
you are Oh,
07:30
and so on
07:30
now, David. Just summary
07:32
In today's video, we talked about other cells off logs
07:38
we understand two tops off attacks, scene in a teepee, flowed and re analyze it to types off logs,
07:46
I PS orgs and Web application fire logs.
07:50
Another conclusion is important here.
07:54
Even if we have different log sources, men off the key components can be found.
08:01
So as soon as you know how to analyze one type of logs
08:05
you can analyze. I know the logs, too.
08:07
Maybe you have some doubts, but it's normal. I always try to find important feuds on each log.
08:13
For our next video, we will have our coast summary.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor