Hands-On Network Forensics
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Application server logs

As we saw in the previous scenario, the first point of attack was the externally-hosted application server. Let's see what sort of logs are generated by common application servers, such as Apache and NGINX, and what we can deduce from those logs:

In the preceding screenshot, we can see the Apache access logs file that reside mostly on the /var/log/apache2/access.log path. We can see a variety of incoming requests to the application. However, we can see that the logs are kept in a particular format, which is the IP address followed by the date and time, request type, requested resource file, HTTP version, response code, response length, and user agent. Since the user agent of the previous request is DirBuster, this denotes that the attacker is using DirBuster to scan the directory for interesting paths and to find hidden directories on the web application. A similar set of logs is available in the error.log file:

However, this log file contains entries that requests have generated errors. As we can see, the errors mostly contain permission-denied errors, which will result in a 403 response status, which means that the requested resource is forbidden. Looking at a raw log file doesn't make much sense to us, and it will be a pain to investigate logs even if the file is as small as 10 MB. Therefore, to further investigate and drill down to the conclusions, we will use automated tools, such as Apache Logs Viewer (https://www.apacheviewer.com/features/):

Let's analyze the logs by adding the access/error log files to the software:

We can see that as soon as we open the log file, the software asks us to define any additional options, such as LogFormat and Date Range. Choose Common (default) for this analysis and press OK to continue:

We can see that we have the log file parsed with ease and we can now apply various filters to it, such as only listing packets from a particular IP or the response status with a particular response code. We will make use of Apache Logs Viewer more in the upcoming chapters and exercises.

We can also add the file remotely using the credentials if you have a licensed copy of the log viewer, which can be purchased from Apache Logs Viewer website at https://www.apacheviewer.com/unlock/ .
上一章目录下一章