Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Now we know about Web. Several logs little in about Webb. Seven. Softer. The first will be a party Web server.
00:08
Apache is open. Source. Web seven Softer maintain by Apache Foundation
00:14
The different location off logs is this. One showed here for Lennox and Windows.
00:20
Http d dot com is the fire where you can set the low configuration, including the loch Form it here, The default log for mint.
00:30
You could find more details on the Pasha Web page.
00:33
Let's understand the lock feuds on the Apache Web server log.
00:38
Here we have all the key feuds.
00:40
Client. I'd be
00:42
RFC 14 13 use their i d daring time method and so on.
00:49
It is this informant as a previous example
00:53
with different values on the feuds.
00:55
Remember, the hyphen means no information for that shield.
01:00
Now let's analyze this July No flogs,
01:03
you answer our questions. Who went in what
01:07
we were used? A stable to help us did fight the key shoots.
01:11
He had the result for the first line.
01:14
All the key fields are present now the result for the second line.
01:19
Now we have to answer for who went in what
01:23
in addiction We have the referral and the user agent
01:27
after they apart. You observer.
01:30
Let's talk about inject slugs and yet it's pretty similar to the party here. The default location off its logs
01:38
and also the Defoe configuration includes a flogging
01:42
injects dot com. Contain the logs configuration for both Lennox and Windows,
01:48
including the lock for months.
01:51
Let's understand Dane Jack's logline.
01:53
A good thing is in Jack's logs looks like their party logs.
01:57
Basically, we have the same feuds.
02:00
Quiet, I p r C 40 13 user I d. There in time Method requested. Fire. Http version and so on.
02:10
It's always better to practice. See
02:13
legend allies to lens off logs from index.
02:15
Here the results off the first line,
02:19
followed by the referring in the user agents
02:23
Remember the heifer means no information for that shoot. So in this line we don't have the reef ever.
02:29
And the result for the second line
02:31
with the refer in the user agents.
02:35
Now we can answer the who went in what
02:38
our next Web seven will be. Microsoft. I s Microsoft ia yes, is a little difference for another two, but this will not be a problem here. Did the phone log location.
02:51
Although observing configurations including logging,
02:53
are made on my *** manager
02:57
a graphical user interface as information the log options for Ah, yes, you look like this.
03:02
Even if the love looks our little difference, it should contains all the needed lock feuds.
03:09
Let's understand the I asked log
03:13
Here you have our example off my ***. Look,
03:15
first we have to date in time.
03:19
Next
03:20
is the Web server I p address
03:23
followed by they Did you pee methods.
03:25
We have the requested file
03:28
followed by my specifically space for you. Our inquiry
03:31
this ever port, it's 80. So it should be http requests. Remember that 80? It's coming to http in 443 it's government to 82 ps
03:44
Next the user name that is the same as user I d
03:49
glance i p address user agent
03:52
Refer her
03:53
started schooled
03:55
a superstar Schools are Windows related fields and that I'm taking to answer the requests.
04:01
We have main feuds, right, but we have all the needed feuds.
04:06
Now let's analyze July enough logs from my eyes
04:11
We need to change our table a little
04:14
filling the table. We have the result
04:15
see not so different from a party, and then jets.
04:20
Now the second line. If you want to try positive you an answer
04:26
here, the results of the second line.
04:29
One of the difference is this. A report.
04:31
It is possible to have this field in Apache in jets.
04:35
It is also possible to have two different world lines, one to TCP Ports 80 and another two TCP ports for 43
04:45
Not only the access log fire can be used to finalize the Web. Seven. There are other log fires. One good example is the airlock five.
04:55
It is like of the bug. Information.
04:57
All the Web seven softer Contains airlock fire here. Some exit off locations
05:03
for injects a party and my eyes.
05:08
Check the website of a page to look for more information about era logs Here the address about the air. A log in a party
05:15
to make things clear. This two logs are from Web Server.
05:20
The first is air. A log in the second is a related access log.
05:26
Both logs were generated by the same request.
05:30
The access log line. We'll have declined to request an air along. We'll have the boat information about the request,
05:38
you can find similar information of both logs like Client I P. Address the requested file in the methods.
05:45
So if you don't have enough information on that, says Love, you can look for the air a log.
05:50
It could be really helpful during the analysis
05:54
as the first purchase ASM question,
05:56
which means below our exams off information provided by the Web. Several logs
06:01
you can pause of you if you want.
06:03
The answer is a
06:06
see
06:08
e N g
06:10
Here. The description off each option
06:14
for the next question is tragic information for the logs below into the table.
06:18
Here you have the answer
06:20
in our questions. Who, when and what
06:25
in addiction is important to identify which weapons ever generated this logs.
06:30
The first log is from I s the 2nd 1 Looks like Apache are in Jack's. Long
06:38
to solve this question. It's better to ask to the several edge me in this case the longest from our injects server.
06:46
It is coming to our company. You have different flavors off Web service in the same company. You can find a party in Jax and I Yes, that's why it's important to know made myself Social, even if the software's difference, you need to find this information
07:03
very summery. In this video, we started to find what our logs and exit partners
07:10
after explaining the fields in the Web application, log
07:13
our Web seven log. And finally we went through Apache in Jack's In II's Logs, Children how to get the information on the Log fields
07:23
to finish which cost about era logs and how they can help us. They'll organizes
07:29
in the next video. You see some considerations about Logan Elvis's. We'll talk about freak requests, the difference between a knock and a soft analysts.
07:39
And we were born some mistakes that can happen when you're the Web log analysis.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor