Examining Logs For Beginners
Hello everyone, today I will try to show you how to review logs at beginner level. First, I will try to explain what the log is, after showing what kind of system is used.
What is Log?
The log files of all actions that occur in information systems are called logs. When you log in to a site, a log file is created. With this log file, information such as your IP address and when you logged into the site can be accessed.
So why are these log files kept? Log files are stored in to finding solutions to problems in the network, such as slowing down of the system in case of an attack or any problem in the system. The most important reason is due to the laws. The reason for this is to be examined in any illegal event.
How do we collect these logs in systems? SIEM comes into play here.
What Is SIEM(Security Information and Event Management)?
SIEM systems centrally collect, store and analyze log records. It is very important to analyze and keep logs. Because the logs are analyzed and enable us to learn where the problem originated, where and how the attack took place. With SIEM products, you can have you warn according to the rules you set.
Today I will give you the tools you can use to analyze logs. I'll show you how to set up one and analyze it on the examples.
OSSEC
Ossec is an open source host system intrusion detection tool. Integrity check, log analysis, Windows registry monitoring, time-based warning and instant feedback. You can visit this site https://www.ossec.net for more information.
SPLUNK
Splunk is a SIEM tool that can collect logs from the server, network and applications, store these logs, analyze the stored logs and present them to the user. For more information, you can visit https://www.splunk.com
APACHE LOGS VIEWER
Apache Logs Viewer helps you analyze and examine log files quickly. It includes many types of reports, but you have to pay a some money to access these reports. For example
Visits by IP
HIT information
Visit by country
Traffic Sources
Search visits
Band width
OS
There are many reports like mentioned above. For more information, you can visit https://www.apacheviewer.com.
GOACCESS
Goacces is an open source web analytics application. It serves you both as a console view and as a web application. You can analyze in real time. For more information, you can visit https://goaccess.io
EVENT LOG EXPLORER
It is a software produced for recording, viewing and analyzing event logs recorded in Windows operating systems. The Event Log Explorer makes it easy to review logs and provides information in a language that users understand. For more information, you can visit https://eventlogxp.com
In this tutorial, I will install the Ossec tool on the Linux operating system and perform my operations from there.
Installing OSSEC on Linux
Firstly let's download the latest version of OSSEC from the GitHub repository using this code.
After downloading, let's extract our file with this command.
Let's go into the extracted file
Then write this code to install
. It asks us what language we want to install, let's write en.
Let's set where we want to install in the local part, in the first question. Press Enter after the place to install question and continue. Let's say the email question N.
Let's write "Y" to all questions 3.2 through 3.6.
Let's press the Enter key to finish the questions.
It will load something itself, don't press any buttons here.
Let's press Enter to finish the installation and finish the installation.
Adjusting the Settings of OSSEC
The setting parts are left, and after finishing them, they will be ready for use.
For E-mail settings, we're using this code.
You will have the settings as in the picture below.
Let's change the data at the top like this.
After changing the settings, let's save our file by CTRL+X and exit. Let's use this command to restart OSSEC.
OSSEC Web User Interface Setup
Let's use this command to download the web UI from the GitHub repository
After we finish the download, let's use this command to extract the zip file.
Let's use this command to move the extracted file to the apache directory.
Let's go to the apache directory to install it.
Then let's type this to start the setup
Let's write this to restart the apache service after the installation is finished
Let's open our browser
and when we type this, you will see that we enter the web user interface.
Examining Logs For Beginners
Brute Force Attack
It is the type of attack to find the username and password on any system. In this type of attack, the password and username list created by the attacker is tried on the login screen of the target system. If the login is successful, it gives a notification to the screen of the attacker, if not, it continues to try the data in the password and user list in order. Since trying these lists one by one will be a long process, the scanning process is done automatically using various tools.
Here I installed a WordPress system on my system and tried a brute force attack on the login screen. First I want to show the screen of Ossec. The current logs are like this:
This attack can be done with the Burp Suite tool or another tool, but I preferred the Burp Suite tool. When I try to brute force attack on the user login screen, look carefully at the logs appearing on Ossec's screen.
You can tell that this attack is Brute Force here. It is very difficult for a user to request POST so often. You can report that this is most likely a Brute Force attack.
SQL Injection
It is an attack made with SQL statements that an attacker adds to SQL queries to gain unauthorized access in systems with a database. By exploiting the vulnerabilities in the application or server, SQL queries are added and unauthorized access is provided. With these SQL queries, the data in the database can be printed on the screen, the data in the database can be changed or deleted.
I installed DVWA on my Linux OS. I added SQL queries from the SQL Injection tab and let's look at the log records together.
When you look at the log records, you can see that a query was sent with the GET method. Many types of attacks are logged, but I have shown you two. If there is a request, I can add other types of attacks. So leave some comments. Tutorial ends here, hope to see you on another topic...
Source: https://www.turkhackteam.org/adli-bilisim/1901015-baslangic-seviyesinde-log-kayitlarini-inceleme-p4rs.html
Translator: Dolyetyus
Hello everyone, today I will try to show you how to review logs at beginner level. First, I will try to explain what the log is, after showing what kind of system is used.
What is Log?
The log files of all actions that occur in information systems are called logs. When you log in to a site, a log file is created. With this log file, information such as your IP address and when you logged into the site can be accessed.
So why are these log files kept? Log files are stored in to finding solutions to problems in the network, such as slowing down of the system in case of an attack or any problem in the system. The most important reason is due to the laws. The reason for this is to be examined in any illegal event.
How do we collect these logs in systems? SIEM comes into play here.
What Is SIEM(Security Information and Event Management)?
SIEM systems centrally collect, store and analyze log records. It is very important to analyze and keep logs. Because the logs are analyzed and enable us to learn where the problem originated, where and how the attack took place. With SIEM products, you can have you warn according to the rules you set.
Today I will give you the tools you can use to analyze logs. I'll show you how to set up one and analyze it on the examples.
OSSEC
Ossec is an open source host system intrusion detection tool. Integrity check, log analysis, Windows registry monitoring, time-based warning and instant feedback. You can visit this site https://www.ossec.net for more information.
SPLUNK
Splunk is a SIEM tool that can collect logs from the server, network and applications, store these logs, analyze the stored logs and present them to the user. For more information, you can visit https://www.splunk.com
APACHE LOGS VIEWER
Apache Logs Viewer helps you analyze and examine log files quickly. It includes many types of reports, but you have to pay a some money to access these reports. For example
Visits by IP
HIT information
Visit by country
Traffic Sources
Search visits
Band width
OS
There are many reports like mentioned above. For more information, you can visit https://www.apacheviewer.com.
GOACCESS
Goacces is an open source web analytics application. It serves you both as a console view and as a web application. You can analyze in real time. For more information, you can visit https://goaccess.io
EVENT LOG EXPLORER
It is a software produced for recording, viewing and analyzing event logs recorded in Windows operating systems. The Event Log Explorer makes it easy to review logs and provides information in a language that users understand. For more information, you can visit https://eventlogxp.com
In this tutorial, I will install the Ossec tool on the Linux operating system and perform my operations from there.
Installing OSSEC on Linux
Firstly let's download the latest version of OSSEC from the GitHub repository using this code.
Kod:
wget https://github.com/ossec/ossec-hids/archive/2.9.0.tar.gzAfter downloading, let's extract our file with this command.
Kod:
tar -xvzf 2.9.0.tar.gzLet's go into the extracted file
Kod:
cd ossec-hids-2.9.0Then write this code to install
Kod:
sudo sh install.shLet's set where we want to install in the local part, in the first question. Press Enter after the place to install question and continue. Let's say the email question N.
Let's write "Y" to all questions 3.2 through 3.6.
Let's press the Enter key to finish the questions.
It will load something itself, don't press any buttons here.
Let's press Enter to finish the installation and finish the installation.
Adjusting the Settings of OSSEC
The setting parts are left, and after finishing them, they will be ready for use.
For E-mail settings, we're using this code.
Kod:
sudo nano /var/ossec/etc/ossec.confYou will have the settings as in the picture below.
Let's change the data at the top like this.
Kod:
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@localhost</email_from>
</global>After changing the settings, let's save our file by CTRL+X and exit. Let's use this command to restart OSSEC.
Kod:
/var/ossec/bin/ossec-control restartOSSEC Web User Interface Setup
Let's use this command to download the web UI from the GitHub repository
Kod:
wget https://github.com/ossec/ossec-wui/archive/master.zip
Kod:
unzip master.zipLet's use this command to move the extracted file to the apache directory.
Kod:
mv ossec-wui-master /var/www/html/ossec
Kod:
cd /var/www/html/ossec
Kod:
.sudo /setup.sh
Kod:
systemctl restart apache2Let's open our browser
Kod:
localhost/ossecExamining Logs For Beginners
Brute Force Attack
It is the type of attack to find the username and password on any system. In this type of attack, the password and username list created by the attacker is tried on the login screen of the target system. If the login is successful, it gives a notification to the screen of the attacker, if not, it continues to try the data in the password and user list in order. Since trying these lists one by one will be a long process, the scanning process is done automatically using various tools.
Here I installed a WordPress system on my system and tried a brute force attack on the login screen. First I want to show the screen of Ossec. The current logs are like this:
This attack can be done with the Burp Suite tool or another tool, but I preferred the Burp Suite tool. When I try to brute force attack on the user login screen, look carefully at the logs appearing on Ossec's screen.
You can tell that this attack is Brute Force here. It is very difficult for a user to request POST so often. You can report that this is most likely a Brute Force attack.
SQL Injection
It is an attack made with SQL statements that an attacker adds to SQL queries to gain unauthorized access in systems with a database. By exploiting the vulnerabilities in the application or server, SQL queries are added and unauthorized access is provided. With these SQL queries, the data in the database can be printed on the screen, the data in the database can be changed or deleted.
I installed DVWA on my Linux OS. I added SQL queries from the SQL Injection tab and let's look at the log records together.
When you look at the log records, you can see that a query was sent with the GET method. Many types of attacks are logged, but I have shown you two. If there is a request, I can add other types of attacks. So leave some comments. Tutorial ends here, hope to see you on another topic...
Source: https://www.turkhackteam.org/adli-bilisim/1901015-baslangic-seviyesinde-log-kayitlarini-inceleme-p4rs.html
Translator: Dolyetyus
