Log file analysis
Log file analysis |
|
<< Back to overview
This module allows the easy and
thorough investigation of log files from various sources, such as log files of
web servers Apache and Microsoft IIS. The log file is represented in a grid
(comparable to a Microsoft Excel worksheet). Only plain text log files - which
is the case for most log files - can be analysed. Each line in the log file
becomes a line in the grid and each line is split based on the spaces. The
result is a grid with multiple columns.
Filters can be set to view only a subset of relevant data. The log file data can be searched for known hacking signatures to quickly find the data related to an intrusion or intrusion attempt. All internet resources found in the log file can be clicked to start an in-depth analysis with the “deep analysis” module. For example the IP address of the client used to gain access to a web server can be analysed to find the hacker.
In this example, we assume that you have part of a log file at hand, which you need to investigate. Paste the log file contents (or part of the log file) in the “log file analysis” module and click the “Start analysis” button. The analysis can take anywhere from 10 seconds (for a few lines) to several minutes (for thousands of lines), depending on the size of the pasted text.
Once the analysis is complete, the grid is shown.
Only a limited number of lines is shown on the page. Click
on the Page numbers below the grid to go to other pages. You can change the
number of lines displayed on a page.
Each internet resource which is found in the log file contents, is displayed in
blue and can be clicked. By clicking the internet resource, an in-depth analysis
of this resource is started using the “deep internet resource analysis” module.
Columns and rows without useful information can be deleted. Select the rows
and/or columns to delete, by clicking the checkbox. Than click on “Remove
selected rows & columns”.
The log file contents can be sorted by clicking the arrow icons in the column
headers.
If a port number is found in the log file content, the protocol using this port will be displayed in orange. The question mark icon next to the protocol abbreviation can be clicked to view detailed information.
Note that on a compromised system (hacked system) any kind of software
including backdoors, viruses, worms and Trojans might be running. This software
might abuse any port. Also, a system administrator might decide to run any kind
of service on a non standard port.
The port information is only an indication and only valid on a non-compromised
system and with default software installations.
The “log file analysis” module contains a list of over 100 common attack signatures, primarily for web servers. Attack signatures are a set of characters that are likely to show up when an intrusion attempt or hacking attempt was performed. By clicking on “Show attack signatures”, all known attack signatures in the log file contents are displayed in red.
The question mark next to each attack signature found can be clicked to see a
description of the attack signature and the operating system to which it most
likely applies.
Here is a table of a few attack signatures for which the log file contents is
searched:
| Signature | Description | Operating system |
| PROPFIND | Uncommon HTTP header command. Possible attempt to reveal methods supported by web server. | All |
| HEAD | Uncommon HTTP header command. Possible attempt to abuse HTTP protocol. | All |
| PUT | Uncommon HTTP header command. Possible attempt to upload a file to the web server. | All |
| htaccess | Attempt to access a web server configuration file for password authentication. | Linux |
| system32 | Possible attempt to access Windows operating system executables. | Windows |
Note that a match with one or more attack signatures, does not necessarily mean
that a hacking attempt was executed and if it was successful. Additional
investigation of the related log file lines is needed.
The operating system to which an attack signature applies is only an indication.
For example the Apache web server (originated on Linux) also runs on Windows
systems, and Linux commands can also be executed on Windows systems on which for
example Cygwin (http://www.cygwin.com) is installed.
Filters can be applied to the log file content in order to narrow down your
search for relevant information. A filter is not case sensitive. It can be
applied to one or more columns as follows:
1. Select at least one column by clicking the checkbox in the column header
2. Enter a filter (e.g. an IP address or a keyword) in the filter text box
3. Select an “include” or “exclude” filter. An include filter will show only log
file lines that match the filter. An exclude filter will hide all log file lines
that match the filter.
4. Click on the “Add filter” button to apply the filter
The filters are shown below the log file lines. A filter can be removed as
followed:
1. click the checkbox to the left of the filter
2. click on “Remove selected filters”
Note that by removing a filter, all lines that were hidden due to the filter
will be displayed again.
Multiple filters can be combined to narrow down a search. A typical scenario
using filters might be the following:
1. Apply an include filter to find all log file lines with the name of the web
page which was subject of a defacing attack (web page content was altered by a
hacker) .
2. Apply an exclude filter to exclude certain log file lines that are not
suspicious (e.g. log file lines with the GET command).
3. If the log file line indicating the first attack attempt is found, apply an
include filter with the IP address of the client PC (the IP of the origin of the
attack).
4. Only lines generated by the hacker are now visible and can be analysed in
detail to reconstruct the attack.