Seci-log 1.03 log Analysis Soft Add Web log analysis

Log analysis software upgrade, we in the last 10 kinds of alarm (non-Office hours access, non-work location access, password guessing, account guessing, account guessing success, sensitive file operation alarm and high-risk command operation, host scan, port scan, illegal external) on the basis of increased SQL injection, XSS attack, path traversal, Webshell, website sensitive file access, and CC attack alarms.

SQL injection

The following alarms are generated from the Web server log, and the Web server log format supports Apache's NCSA log format, including NCSA Common Log Format (CLF) and NCSA Extended Log Format (ECLF). The default apache,tomcat are the two formats respectively.

Log file configuration, log file capture introduces a new profile: File.properties, and the application.properties configuration file in the same directory. The contents of the configuration file are as follows:

file.ip=192.168.1.1

File.fullname=d:/develop/secilog-win/tomcat/logs/localhost_access_log*.txt

The first configuration item: File.ip represents the IP address of the log file, because the Web log does not include server information, and the second configuration item is File.fullname, which represents the location of the file, the absolute path, support for two ways of writing, full file name and partial file name matching. Some logs do not split only one file, some of the logs are split, each day will produce a new file, both of which are supported. The program only handles modification time for the first log file of the day, and does not process the history file. If you do not make the split file, the history file may be larger, it is recommended to do when you can first back up after deleting a portion.

SQL injection attack is one of the common means for hackers to attack the database. With the development of B/s pattern application development, more and more programmers use this model to write applications. However, due to the varying levels and experience of programmers, a large number of programmers write code without judging the legality of user input data, which makes the application a security risk. The user can submit a database query code, according to the results returned by the program, to obtain some of the data he wants to know, this is called sqlinjection, that is, SQL injection.

SQL injection is judged according to the URL parameters to determine whether there are SQL statement features such as and and so on, if only through the log to detect the accuracy is not too high, can be used as an auxiliary reference, while the log can only record the GET Request records, the POST request is powerless, There is also a need for other means to get accurate behavior. In order to reduce false positives, the system is judged to be three minutes in accordance with the characteristics of the record more than three times before the alarm.

Validation process, enter parameters with SQL features in Rul, such as entering three times the following link:

/1001321%20and%202011%3d2011_1002024_1321856134658.htm

Wait a few minutes to see the following alarms:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143935_CINk.png "height=" 141 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143935_cink.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143936_Prnt.png "height=" 192 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143936_prnt.png "/>

Indicates that a SQL injection attack has been generated.

XSS attack

XSS attacks: cross-site scripting attacks (crosssitescripting), which are not confused with the abbreviations of cascading style sheets (CASCADINGSTYLESHEETS,CSS), are abbreviated as XSS for cross-site scripting attacks. XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. For example, the code includes HTML code and client script. An attacker could bypass an XSS vulnerability by bypassing access control-such as the same-origin policy (sameoriginpolicy). This type of vulnerability is widely known for being used by hackers to write more damaging phishing attacks.

The verification process is to enter the contents of JS in the URL, for example, enter three times:

/test.asp?article=<script>alert ("Test") </script>

Wait a few minutes to see the following alarms:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143936_Eusp.png "height=" 187 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143936_eusp.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143936_9vVN.png "height=" 258 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143936_9vvn.png "/>

Illegal access (file inclusion and path traversal access)

There are many different names for directory traversal vulnerabilities, such as information disclosure vulnerability, non-authoritative file inclusion vulnerability, and so on. Directory traversal is a common attack method for Windowsiis and Apache that could allow an attacker to access a restricted directory, extract directory information by executing the CMD.EXE/C command, or execute commands outside the root directory of the Web server.

A directory traversal vulnerability may exist in the Web server software itself, or it may exist in a Web application. Directory traversal attacks are relatively easy to master, and to perform a directory traversal attack, the attacker needs only a Web browser, and knowledge of the location of the system's default files and directories.

The verification process is to enter the file operation content in the URL, for example, enter three times:

/?file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143936_42IK.png "height=" 167 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143936_42ik.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143936_OpI2.png "height=" 229 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143936_opi2.png "/>

Sensitive file access

Sensitive file access is similar to illegal outreach, except that the files concerned are not the same, and sensitive files mainly focus on Web services configuration files, source code files, and so on.

The verification process is to enter the contents of the program configuration file in the URL, for example, enter three times:

/?file=. /applicationcontext.xml

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_DgRi.png "height=" 145 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_dgri.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_GUfD.png "height=" 168 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_gufd.png "/>

Webshell

Webshell is a kind of command execution environment which exists in the form of ASP, PHP, JSP or CGI, or it can be called as a kind of web backdoor. Hackers after the invasion of a website, usually these ASP or PHP back-door files with the Web site Server web directory normal Web page files mixed together, and then you can use the browser to access these ASP or PHP back door, get a command execution environment, To achieve the purpose of controlling the Web server (you can upload and download files, view the database, execute arbitrary program commands, etc.).

The verification process is to enter Webshell common content in the URL, for example, enter three times:

/cmd.asp

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_5vI1.png "height=" 189 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_5vi1.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_5vld.png "height=" 148 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_5vld.png "/>

CC attack

The principle of the CC attack is that the attacker controls that some hosts keep sending large packets of data to the other server, causing the server to run out of resources until the outage crashes. CC is mainly used to attack the page, everyone has the experience: when a page access to a particularly large number of times, the opening of the Web page is slow, CC is to simulate multiple users (how many threads is how many users) constantly access to those who need a lot of data operations (that is, the need for a lot of CPU time) page, resulting in a waste of server resources, the CPU for a long time at 100%, always have to handle the connection until the network congestion, normal access is aborted.

Product detection of attacks when the same IP address in 3 minutes request more than 1000 times, indicating the occurrence of a CC attack, where there may be false positives, when the agent or shared out may produce false positives, so to analyze whether the attack IP is a proxy IP.

Verification process, is in a short period of time there are a large number of requests, due to the environment now, we simulate the tool when the strategy is more than 60 times the alarm, the actual program is more than 1000 alarm.

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_LLFa.png "height=" 279 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_llfa.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/18143937_RC6B.png "height=" 265 "width=" 576 "Style=" margin:0px;padding:0px;border:0px; "alt=" 18143937_rc6b.png "/>

This article is from the "Zhulinu blog" blog, make sure to keep this source http://zhulinu.blog.51cto.com/539189/1685065

Seci-log 1.03 log Analysis Soft Add Web log analysis