Hello and let's continue in this lesson in this video, we'll talk about to log sources.
The first is I PS or ideas.
The other log source is the Web application fire. Oh,
let's talk about I ps and ideas
both detects attacks
while i ps, which means intrusion prevent system.
Okay, that that in block that takes
the ideas are intrusion detection system
only detect that take
both work in the same way But the I P. S is between the communication so it can block the attack
and ideas. Unless in the draft
sees ideas is not between this source in destination it cannot block the tech. Maybe you're thinking why should I use on ideas?
I'd be asking Bloke in ideas cannot block, so it's better to use an I. P. S
I. P s is a component in some environments is not allowed to put an I p. S because it can delay the communication, But it is important to detect the attacks.
And so as the ideas detects the attack, it can say the alert just off analysts Archer, not network opponents.
So it's better to have actual east on ideas then offering
is not is open source software that can be used as I PS or ideas.
Let's analyze some snort logs.
Some information is easy to identify.
You can easily identify some attacks
cross site scripting, brute force, SQL injection
and malicious user agent.
You cannot identify some well, no feuds
and the source. In addition, a sh i p address.
There are many others. I ps in ideas Softwares.
Each will have its logs,
but most off them. You're given for Misha about the attack and have the key feuds.
So it's important to know that another log source like I PS source can help you. They try the Web attack,
and, as you can see, it's gained in fi, which attack what's performance
so it can make the life off a stock analyst much easier.
Next, let's talk about Web application. Firearm.
I PS. In ideas, analyze all type of traffic
and Web application. Firoz on the lies.
They will have application drift.
That's why I PS in 90 s is more related to network and Web application. Fire is more related to have applications
like i PS and ideas where publication fire could be the broads the meat off the communication
and because of it can block the attacks or like ideas on Lee attacking that. That's
and there is open source Web application fire called more security.
Let's see the Web application. Fire logs.
It is a big log, right? But don't be scary.
He spent some time analyzing this log.
Look, for some no feuds are information that I think that is important.
If you want positive. You know
later, we won that last together. This look
first you can see the more security, and it's a There is a warning.
I hope that you find it.
This part's off the log.
Do you remember this attack?
Now check the web application conclusion.
Web attack, Funny injection. And of course, there. Well, no feuds like there in time.
And the client I p r the taker
in here I will sever I p address.
And there were page again. The best information is here.
This looks like I'm finally shot Shot tech
To make things clear, Let's show the web several Log off this attack
All the feuds are here.
You are the requested file
Ligety, P starts cold and the user agent just looking to the Web application fire. Oh, log. You can get the attack. Are the pasta water
almost with this information, but with a conclusion?
Let's see one more example
Here we have asked you Take
We have dating time, they P address and so on.
In here, they're related. Web seven. Log.
We have to I p address there in time and that information
when the previous is like we have to get my foot.
And here we have the both method.
Remember that we talked about post methods
that the Web seven will not log. The payload could taint.
That's why we cannot see the SQL injection in the Web. Several log. But since the Web application Faro reads the entire package, it can identify the attacks that use post requests.
Now, some considerations about I PS ideas in wife.
They have to defy attacks in protect against them.
Both worked with signatures, and usually they have already some beauty and signatures.
And because the Web applications are different, you need some adjustments after the deployment, like any other security to they could be bypassed
and they can call some availability issues because of the first positive.
We use it during this car's direction for off the I. P Protocol.
It maybe you heard about, I'd be version six.
This will not change our Logan houses
because http is a top layer protocol.
So I'd be is a lawyer protocol.
This means that http can use both.
I'd be before our 86.
This is also true to TCP.
The only difference will be on the I P feuds.
Basically, the baby before others is 32 beats and the baby six is a little bigger. 128 beats for its mattress.
To make things clear here the example off a lot with my previous six.
See, the only difference is I p address.
So you get on allies I'd be before in a baby six service
to finish A poster says my question
when I was a love below it identify the key feuds and the possible attack.
Their tags are easy to identify.
The first is a cross site scripting and the second is our escape rejection
And for the feuds we have i p address
now, David. Just summary
In today's video, we talked about other cells off logs
we understand two tops off attacks, scene in a teepee, flowed and re analyze it to types off logs,
I PS orgs and Web application fire logs.
Another conclusion is important here.
Even if we have different log sources, men off the key components can be found.
So as soon as you know how to analyze one type of logs
you can analyze. I know the logs, too.
Maybe you have some doubts, but it's normal. I always try to find important feuds on each log.
For our next video, we will have our coast summary.