Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello, everyone. And welcome back to the course you did farmer With thanks to Logs, Amigo Vieira And after a brief review off Web, several logs in the log importance
00:09
in this video. We'll keep talking about the logs,
00:12
but we will give so much vices initial some common issues and mistakes that can occur during the log analyses.
00:20
The view objectives are
00:22
I understand the difference between availability in security log in houses.
00:27
I understand that some luck fields can be crafted to hide something from the analyses
00:32
and show some mistakes that can happen when analyzing logs.
00:37
So let you start
00:39
with the rays off security risks. The security staff increased
00:44
and the sock jeans started to play. An important role in the companies
00:48
nowadays is going to have a knock in the sock teams working together.
00:53
They have the same wory with different perspectives.
00:57
Not and suck wants to keep things working correctly,
01:00
but not usually words about. If decisions are up
01:04
and the sock was about security incidents,
01:07
Security instant doesn't mean that the resources down
01:11
a security incident can affect our resource, even if it is working as expected
01:18
as example, consider this Web several log.
01:21
What do you think it is?
01:23
It is malicious. Weird are It's just okay,
01:26
since we have a 200 started school.
01:30
A. Not enemies could say that is Okay, this if it's up in answering.
01:36
Hey, how's school check? See if you in memory and say everything is okay
01:41
for a stock. Analysts did a suspicious behavior,
01:44
so it's better to investigate.
01:46
During this course, you will learn that this request is an attack
01:51
on SQL injection. Attack
01:53
in the previous is right, we had a log that is related to an attack.
01:57
The logs are generated by the Web server,
02:00
but how the logs are generated
02:04
cannot trust other long information.
02:07
Logs are generated from two actions
02:09
declined to requests in the Web. Seven. Answer.
02:14
The Web service is no
02:15
is under our control.
02:17
The client is someone who probably know only the I P address
02:22
and the user I d.
02:24
And usually we don't know if they a piece from an attacker or Rio client. The conclusion is we cannot trust that much on the clients
02:34
because off this we have a doubt.
02:37
Are the logs 100% trustable?
02:40
The answer is no. Let's see why
02:44
http Protocol is basic text Commons,
02:47
and it is easy to craft text two packets.
02:52
Remember that we have a lot off user agents, Softwares and some off this software's king craft packets
02:59
with http requests.
03:00
What do you think that we will happen with this craft packet? Remember, it's our http request.
03:07
So assume discredited packets arrive at the Web server. It will be processed and answered.
03:15
The Web seven job is answering the requests.
03:17
It doesn't care who sent the request.
03:21
For example, you can see the different user agent a different refer.
03:25
This is coming to happen during the attacks
03:29
because the Attackers want to hide,
03:31
so it's better to use a normal user agent 10. On suspicious user agent
03:38
Web browsers are considered normal use agents. Letting this video You see some examples off suspicious user agents like Kerr. And during the course, you see another examples off suspicious user rations
03:53
like python libraries.
03:55
Although 40 c p i p Communications the Web client I p address
04:00
is always true.
04:01
Seized. Http transfer. He starts after three way and shake Their P address on the log will be the same. I Pete established a connection
04:10
one possible problem is when the user connects through every peon
04:15
our Web proxy.
04:17
This you will hide the Web clients re R p
04:20
in this case, the VPN or the Web proxy address will be the clients i. P.
04:26
Again, the Web server doesn't care if it's a proxy VPN or are in the user.
04:31
Andrea Log the Weapon proxy or the V p N I. P address
04:35
to get the really be you need the logs from VPN or the Web proxy and correlate them.
04:43
Another few that cannot be crafted
04:45
is they started schooled.
04:47
Can you guess why they started? School cannot be crushed by the user.
04:51
For example, the Stars code should be 404 but it shows at 200 on the log.
04:58
Well, they started. Scold is generated by the Web server. It depends off the client request. You can craft a request to get a 400 for starters called
05:09
but to take. They start. It's called from 404 to our 200. You need to change the law inside the Web seven log file,
05:16
and it cannot be done during the HP request.
05:19
Based on what we saw. Let's show some examples
05:24
using Arlen's machine, you perform some requests using different user agents.
05:30
The I P address off our observer is 10. The Jew that 0.101 and our first boxes would be a simple telnet
05:40
tend to log off the town that request
05:43
It didn't show user agent, but we can see the same stars called
05:46
400
05:48
for the second. Inter Docks is well used. Car car is Alan. It's common to request. What bases
05:56
The first Corps request is that you see the core as user agent,
06:00
although the court has many options.
06:02
One of the options you can change the user agents.
06:05
If we use a corruption to change that user agent. The Web server. You log exactly what we put in their option
06:14
here. The Mozilla Firefox.
06:15
There are many other options incur to crash. Http packets and many are the software's with the same capabilities
06:24
to summary. Check the stable. It has a key lock feuds. And if it's possible to craft a request with this feud,
06:30
understand, Crafted is a possibility to generate and manipulate the age to be requests so hard. Some formacion about the requests, like the user agent.
06:41
Based on this, the AP address cannot be changed.
06:45
As we said before. This is because the three way handshake
06:49
they're in time depends on the Web server configurations.
06:53
User I D can be grafted,
06:56
and the tactic in use days to perform a brute force attack or to steal someone's session
07:01
method and requested fire can be crafted. But if you request something that doesn't exist, the Web seven Windsor As our 404 were using the next videos that 404 errors can help us. They'd find some kindof attacks
07:16
http stars called Generated by Dr Seven so it cannot be crafted
07:23
and the user agent we saw there, it's possible to craft
07:27
other client related feuds can be crafted crafting packets and it should be requests is one way how to the Web. Seven are compromised.
07:35
Some crafted requires kin trigger from their abilities. Maybe you are thinking now I know that I cannot trust Web. Several logs. Why should use it? You didn't find an attack.
07:47
Even if you don't trust, you need the log student. Five attacks. You always need to take care when doing analysis.
07:54
A really important thing is to know your application.
07:58
For example, if you're a webpage, is not compatible with mobile phones. You should not see user agents related to mobile.
08:07
I would think as a user and gas even use it would do the same thing as you have in the log.
08:13
Try to guess if that info can be fake
08:18
and always get more logs to correlate.
08:20
The stop continues in the next video.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor