Hello, everyone. And welcome back to the course you did farmer With thanks to Logs, Amigo Vieira And after a brief review off Web, several logs in the log importance
in this video. We'll keep talking about the logs,
but we will give so much vices initial some common issues and mistakes that can occur during the log analyses.
The view objectives are
I understand the difference between availability in security log in houses.
I understand that some luck fields can be crafted to hide something from the analyses
and show some mistakes that can happen when analyzing logs.
with the rays off security risks. The security staff increased
and the sock jeans started to play. An important role in the companies
nowadays is going to have a knock in the sock teams working together.
They have the same wory with different perspectives.
Not and suck wants to keep things working correctly,
but not usually words about. If decisions are up
and the sock was about security incidents,
Security instant doesn't mean that the resources down
a security incident can affect our resource, even if it is working as expected
as example, consider this Web several log.
What do you think it is?
It is malicious. Weird are It's just okay,
since we have a 200 started school.
A. Not enemies could say that is Okay, this if it's up in answering.
Hey, how's school check? See if you in memory and say everything is okay
for a stock. Analysts did a suspicious behavior,
so it's better to investigate.
During this course, you will learn that this request is an attack
on SQL injection. Attack
in the previous is right, we had a log that is related to an attack.
The logs are generated by the Web server,
but how the logs are generated
cannot trust other long information.
Logs are generated from two actions
declined to requests in the Web. Seven. Answer.
The Web service is no
is under our control.
The client is someone who probably know only the I P address
And usually we don't know if they a piece from an attacker or Rio client. The conclusion is we cannot trust that much on the clients
because off this we have a doubt.
Are the logs 100% trustable?
The answer is no. Let's see why
http Protocol is basic text Commons,
and it is easy to craft text two packets.
Remember that we have a lot off user agents, Softwares and some off this software's king craft packets
What do you think that we will happen with this craft packet? Remember, it's our http request.
So assume discredited packets arrive at the Web server. It will be processed and answered.
The Web seven job is answering the requests.
It doesn't care who sent the request.
For example, you can see the different user agent a different refer.
This is coming to happen during the attacks
because the Attackers want to hide,
so it's better to use a normal user agent 10. On suspicious user agent
Web browsers are considered normal use agents. Letting this video You see some examples off suspicious user agents like Kerr. And during the course, you see another examples off suspicious user rations
like python libraries.
Although 40 c p i p Communications the Web client I p address
Seized. Http transfer. He starts after three way and shake Their P address on the log will be the same. I Pete established a connection
one possible problem is when the user connects through every peon
This you will hide the Web clients re R p
in this case, the VPN or the Web proxy address will be the clients i. P.
Again, the Web server doesn't care if it's a proxy VPN or are in the user.
Andrea Log the Weapon proxy or the V p N I. P address
to get the really be you need the logs from VPN or the Web proxy and correlate them.
Another few that cannot be crafted
is they started schooled.
Can you guess why they started? School cannot be crushed by the user.
For example, the Stars code should be 404 but it shows at 200 on the log.
Well, they started. Scold is generated by the Web server. It depends off the client request. You can craft a request to get a 400 for starters called
but to take. They start. It's called from 404 to our 200. You need to change the law inside the Web seven log file,
and it cannot be done during the HP request.
Based on what we saw. Let's show some examples
using Arlen's machine, you perform some requests using different user agents.
The I P address off our observer is 10. The Jew that 0.101 and our first boxes would be a simple telnet
tend to log off the town that request
It didn't show user agent, but we can see the same stars called
for the second. Inter Docks is well used. Car car is Alan. It's common to request. What bases
The first Corps request is that you see the core as user agent,
although the court has many options.
One of the options you can change the user agents.
If we use a corruption to change that user agent. The Web server. You log exactly what we put in their option
here. The Mozilla Firefox.
There are many other options incur to crash. Http packets and many are the software's with the same capabilities
to summary. Check the stable. It has a key lock feuds. And if it's possible to craft a request with this feud,
understand, Crafted is a possibility to generate and manipulate the age to be requests so hard. Some formacion about the requests, like the user agent.
Based on this, the AP address cannot be changed.
As we said before. This is because the three way handshake
they're in time depends on the Web server configurations.
User I D can be grafted,
and the tactic in use days to perform a brute force attack or to steal someone's session
method and requested fire can be crafted. But if you request something that doesn't exist, the Web seven Windsor As our 404 were using the next videos that 404 errors can help us. They'd find some kindof attacks
http stars called Generated by Dr Seven so it cannot be crafted
and the user agent we saw there, it's possible to craft
other client related feuds can be crafted crafting packets and it should be requests is one way how to the Web. Seven are compromised.
Some crafted requires kin trigger from their abilities. Maybe you are thinking now I know that I cannot trust Web. Several logs. Why should use it? You didn't find an attack.
Even if you don't trust, you need the log student. Five attacks. You always need to take care when doing analysis.
A really important thing is to know your application.
For example, if you're a webpage, is not compatible with mobile phones. You should not see user agents related to mobile.
I would think as a user and gas even use it would do the same thing as you have in the log.
Try to guess if that info can be fake
and always get more logs to correlate.
The stop continues in the next video.