to continue in this lesson. We'll discuss some issues and mistakes. There are common during organizes.
The first mistake is not knowing your application.
It is hard to identify if I request is an attack if you do not know at least a little about your Web application.
No, your application means
what are the programming language? The technology behind
the Web seven saucer and any other information related to the Web application.
Others information will lead you to a much better analysis. See this request?
This is only the requested fire Front line off log.
Ugh. Looks normal, right?
I get requests to this PHP page.
But what if your service doesn't want GHB?
Why? Someone would be requesting this page
on typical user who docks. Is this page analyzing? Now the full log off this request, we can see that this ever insert as 404 not found.
This is expected. Behaviour sees this application doesn't have PHP.
If you look for more information about this requests, it will show that this request is a common request for what press employment.
And there are some vulnerabilities related to this Web page.
As expected. This application does not run a WordPress
if you were a knock analyst.
Everything looks fine
for our stock analysts. This log is suspicious. Since you know the application, you know that the Ph. B is not on this web server.
So you can say that this request is moral issues, but there is no risk on it.
The conservation off this evens depends on the company policies.
It can be classified as a false boss. Steve, our vulnerability scan.
Sometimes you happen that we will not have enough time to analyze the Lords.
Maybe your boss wants a fresh answer.
And maybe you forgot to check all the logs.
More logs is equal. More information.
One of the points is to confirm that you have enough information in Lockshin. Allies
remember to ask for other loans.
As for the airlock to
other example is you have a small period off logs available
or if you weren't the web 70 me state of maybe you received the wrong logs. Or maybe someone modified the logs. One example that happened before Waas. I asked you the Web server demonstrate Oh, other logs inside the default locked folder.
I received a small amount off logs
after talk with the savage beast ater. He told me that in the company they changed the Locks Star folder.
Then I requested the logs from the correct folding and received the logs.
Some important questions.
Do I have all the logs?
It is a busy server,
a busy Web. Seven. We'll have more logs.
It would be possible that someone ginger ideologues
sending the log to a remote seas log server Karen does this risk
and always Jack if their logs are the correct ones, like in the example off the different Star folder.
Another thing that can happen
is that the website has more than one website and each website can have its logs.
So we need to ask the correct website. Logs
here are not simple.
Supposed to receive a large portions on allies
during our analyses. You see these two lines.
Can you identify something wrong with this logs? Let's analyze. We have two different plants. I p address
both Web. Several answers are 200.
The first logline is our agent Look. Two specials.
The first line method is head in. The 2nd 1 is our get.
You have to do it in time.
You can take a better look on the dating time. You can find something weird.
The time between the two lines is Mort in one hour.
If it is a busy server is a little hard to believe that the Web seven Did you not receive requests for more than one hour? There are many reasons did this happen?
I said. I mean error.
This isn't a busy server.
Someone deleted the logs.
The logs were moving. John, all the fire and so on
are not important things about the dating. Time is check the time zone.
It is very where the other Web server logs has the same time zone. But this is not always true.
You always need to confirm that the law you have is enough in the correct ones. But it's also possible that you don't not have in logs generalized. Or maybe you have the logs and the logs are incomplete or the LA configurations are wrong.
As another example, check those logs. Can you tell What is it incomplete
In this world? You have the time, but I don't have to date this. I P address cannot be from client because is the local host I p address. It can be the website I p address
since we have the time and they begin off line in the website I p address this logs Looks like on I s wog
but we do not have declined I p address. They use their agent and their refer Even if the log looks good, the complete logs would make the investigation really hard and the conclusive
If you get a log like this, go to a website for demonstrators and asked to them to configure it Better to summarize We all have to off the seven fuse that we would like to see.
This is different from the hyphen. When we have the hyphen, we have the field but we don't not have value here. Even the hyphen is missing So we do not have the feud.
It is really missing.
Another problem that can happen is distract Wrong information. If you understand the log, you will not strike wrong information. For example, in the first line off along here
you have to I p address
One is from the client in one is from the Web server.
Maybe this log is from Microsoft II's, but it can be a different a party or indie eggs block configuration.
The second line. It's from a party
again. This looks like an Apache orange eggs. If you restrict wrong information on these walks, the conclusion off your analyses can be wrong.
If you have any doubts about the Web seven logs Talk with your weather demonstrator
and as the last, we will talk about something that is not only related to the Web. Several logs
do not document or your findings is not related only to the Web. Several organizes.
It is related to handle security incidence. You can use whatever you prefer texts, agitator mind maps, nor the books.
I like notebooks for two reasons.
First, when you write something, it's easier to memorize.
In second. You know all the information is in the place.
Most oft times, I start using a notebook in ends in that that's edged or it is up to you to see which one works better to. You do your document as you can use it to answer most of the questions and at least they who, what and when.
Post assessment question.
Is this information true or false?
on the Web browsers. Gibson http requests to the Web service
There's the formations force
as we talked in this video, they remain software that can crash HTP requests like Carl tell Net Double gate in programming language
for the next question, answered yes or no to tell. If the log feuds give you crafted or not,
take your time to answer in. Positive you If you want,
Remember that other log feuds related to the clients can be manipulated
in the fields generated by the Web. Seven cannot be manipulated by the client.
For example, the daring time is based in the Web server operational system time
and for the last question considered the logs below. Can you tell which fields are missing?
You can pass a very if you want. In the first love line. We do not have I P address. So is missing the client I p. Address the second line. We do not have the daring time information
could you find, which is missing in the last line. The last line. It's tricky, but if you take a better look in the requested fire, you only have the method
and the TTP version, the requested file is missing. The mean we requested file is this flesh
In this video, we started talking about the difference between knock in sock analyses after we discussed about fake requests in Crested http requests.
At the end, we gave some examples off issues in common mistakes that can happen during the Logan exists.
The module one is finished
When we started Module number two with a brief review,
maybe review the text that Target's Web applications
and it's goes about ur air components.