Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
to continue in this lesson. We'll discuss some issues and mistakes. There are common during organizes.
00:06
The first mistake is not knowing your application.
00:10
It is hard to identify if I request is an attack if you do not know at least a little about your Web application.
00:18
No, your application means
00:21
what are the programming language? The technology behind
00:25
the Web seven saucer and any other information related to the Web application.
00:30
Others information will lead you to a much better analysis. See this request?
00:35
This is only the requested fire Front line off log.
00:39
Ugh. Looks normal, right?
00:41
I get requests to this PHP page.
00:44
But what if your service doesn't want GHB?
00:48
Why? Someone would be requesting this page
00:50
on typical user who docks. Is this page analyzing? Now the full log off this request, we can see that this ever insert as 404 not found.
01:00
This is expected. Behaviour sees this application doesn't have PHP.
01:06
If you look for more information about this requests, it will show that this request is a common request for what press employment.
01:12
And there are some vulnerabilities related to this Web page.
01:18
As expected. This application does not run a WordPress
01:22
if you were a knock analyst.
01:23
Everything looks fine
01:26
for our stock analysts. This log is suspicious. Since you know the application, you know that the Ph. B is not on this web server.
01:34
So you can say that this request is moral issues, but there is no risk on it.
01:40
The conservation off this evens depends on the company policies.
01:45
It can be classified as a false boss. Steve, our vulnerability scan.
01:49
Sometimes you happen that we will not have enough time to analyze the Lords.
01:55
Maybe your boss wants a fresh answer.
01:57
And maybe you forgot to check all the logs.
02:00
More logs is equal. More information.
02:05
One of the points is to confirm that you have enough information in Lockshin. Allies
02:09
remember to ask for other loans.
02:13
As for the airlock to
02:15
other example is you have a small period off logs available
02:20
or if you weren't the web 70 me state of maybe you received the wrong logs. Or maybe someone modified the logs. One example that happened before Waas. I asked you the Web server demonstrate Oh, other logs inside the default locked folder.
02:35
I received a small amount off logs
02:38
after talk with the savage beast ater. He told me that in the company they changed the Locks Star folder.
02:45
Then I requested the logs from the correct folding and received the logs.
02:50
Some important questions.
02:52
Do I have all the logs?
02:53
It is a busy server,
02:55
a busy Web. Seven. We'll have more logs.
03:00
It would be possible that someone ginger ideologues
03:02
sending the log to a remote seas log server Karen does this risk
03:07
and always Jack if their logs are the correct ones, like in the example off the different Star folder.
03:15
Another thing that can happen
03:16
is that the website has more than one website and each website can have its logs.
03:23
So we need to ask the correct website. Logs
03:27
here are not simple.
03:29
Supposed to receive a large portions on allies
03:31
during our analyses. You see these two lines.
03:35
Can you identify something wrong with this logs? Let's analyze. We have two different plants. I p address
03:42
both Web. Several answers are 200.
03:46
The first logline is our agent Look. Two specials.
03:49
The first line method is head in. The 2nd 1 is our get.
03:53
You have to do it in time.
03:55
So what is wrong.
03:58
You can take a better look on the dating time. You can find something weird.
04:02
The time between the two lines is Mort in one hour.
04:08
If it is a busy server is a little hard to believe that the Web seven Did you not receive requests for more than one hour? There are many reasons did this happen?
04:17
I said. I mean error.
04:19
This isn't a busy server.
04:23
Someone deleted the logs.
04:25
The logs were moving. John, all the fire and so on
04:28
are not important things about the dating. Time is check the time zone.
04:31
It is very where the other Web server logs has the same time zone. But this is not always true.
04:39
You always need to confirm that the law you have is enough in the correct ones. But it's also possible that you don't not have in logs generalized. Or maybe you have the logs and the logs are incomplete or the LA configurations are wrong.
04:55
As another example, check those logs. Can you tell What is it incomplete
05:00
In this world? You have the time, but I don't have to date this. I P address cannot be from client because is the local host I p address. It can be the website I p address
05:13
since we have the time and they begin off line in the website I p address this logs Looks like on I s wog
05:20
but we do not have declined I p address. They use their agent and their refer Even if the log looks good, the complete logs would make the investigation really hard and the conclusive
05:33
If you get a log like this, go to a website for demonstrators and asked to them to configure it Better to summarize We all have to off the seven fuse that we would like to see.
05:45
This is different from the hyphen. When we have the hyphen, we have the field but we don't not have value here. Even the hyphen is missing So we do not have the feud.
05:57
It is really missing.
05:59
Another problem that can happen is distract Wrong information. If you understand the log, you will not strike wrong information. For example, in the first line off along here
06:10
you have to I p address
06:13
One is from the client in one is from the Web server.
06:16
Maybe this log is from Microsoft II's, but it can be a different a party or indie eggs block configuration.
06:26
The second line. It's from a party
06:29
again. This looks like an Apache orange eggs. If you restrict wrong information on these walks, the conclusion off your analyses can be wrong.
06:38
If you have any doubts about the Web seven logs Talk with your weather demonstrator
06:44
and as the last, we will talk about something that is not only related to the Web. Several logs
06:48
do not document or your findings is not related only to the Web. Several organizes.
06:55
It is related to handle security incidence. You can use whatever you prefer texts, agitator mind maps, nor the books.
07:04
Whatever.
07:05
I like notebooks for two reasons.
07:09
First, when you write something, it's easier to memorize.
07:13
In second. You know all the information is in the place.
07:16
Most oft times, I start using a notebook in ends in that that's edged or it is up to you to see which one works better to. You do your document as you can use it to answer most of the questions and at least they who, what and when.
07:33
Post assessment question.
07:35
Is this information true or false?
07:39
on the Web browsers. Gibson http requests to the Web service
07:43
There's the formations force
07:46
as we talked in this video, they remain software that can crash HTP requests like Carl tell Net Double gate in programming language
07:55
for the next question, answered yes or no to tell. If the log feuds give you crafted or not,
08:01
take your time to answer in. Positive you If you want,
08:05
Hear the answer.
08:07
Remember that other log feuds related to the clients can be manipulated
08:13
in the fields generated by the Web. Seven cannot be manipulated by the client.
08:18
For example, the daring time is based in the Web server operational system time
08:24
and for the last question considered the logs below. Can you tell which fields are missing?
08:31
You can pass a very if you want. In the first love line. We do not have I P address. So is missing the client I p. Address the second line. We do not have the daring time information
08:43
could you find, which is missing in the last line. The last line. It's tricky, but if you take a better look in the requested fire, you only have the method
08:54
and the TTP version, the requested file is missing. The mean we requested file is this flesh
09:01
video summary.
09:03
In this video, we started talking about the difference between knock in sock analyses after we discussed about fake requests in Crested http requests.
09:13
At the end, we gave some examples off issues in common mistakes that can happen during the Logan exists.
09:20
The module one is finished
09:22
When we started Module number two with a brief review,
09:26
maybe review the text that Target's Web applications
09:31
and it's goes about ur air components.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor