Scribd
Upload
6 views

Log Analysis and Identification of Suspicious Events_ENG

The document discusses log analysis as a crucial method for identifying errors, attacks, and suspicious activities in systems. It details various types of logs, suspicious event indicators, and the significance of HTTP response codes, along with examples of password guessing, SQL injections, and XSS attacks. Recommendations for enhancing security through log monitoring and analysis tools are also provided.

Uploaded by

kelfernandes2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

Log Analysis and Identification of Suspicious Events_ENG

The document discusses log analysis as a crucial method for identifying errors, attacks, and suspicious activities in systems. It details various types of logs, suspicious event indicators, and the significance of HTTP response codes, along with examples of password guessing, SQL injections, and XSS attacks. Recommendations for enhancing security through log monitoring and analysis tools are also provided.

Uploaded by

kelfernandes2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Cyber security theory

Log analysis and


identification of
suspicious events
Introduction to log analysis
Logging is the process of recording events occurring in the system. Log analysis
helps to identify errors, attacks, and suspicious activity.

The main types of logs and their examples:

Logging of OS actions (program launches, driver errors).


System Mar 7 12:00:15 hostname kernel: [ 1234.567890] CPU soft lockup detected

Information about traffic and connections (attempts to access a closed port).


Network
Mar 7 12:10:00 firewall DROP TCP 192.168.1.5 → 192.168.1.1:22

User requests to the website (a request to the login page).


Web server
192.168.1.101 - - [07/Mar/2025:12:15:10 +0000] "GET /admin/login HTTP/1.1" 200

Actions with stored data (failed authorization attempt).


Database Mar 7 12:20:30 DB_AUTH_FAIL: User 'admin' failed to login from IP 192.168.1.105

Log analysis and detection of suspicious events


Web server logs format
Web server keeps a record of client requests.

Example of a standard log:


192.168.1.101 - - [07/Mar/2025:12:15:10 +0000] "GET /admin/login HTTP/1.1" 200

1 2 3 4 5

Basic elements:

1. Client's IP address — where the request came from.


2. Date and time of the request—when the request was made.
3. Request method (GET, POST, etc.) — which action is requested.
4. Requested resource — what the user is accessing.
5. The server response code (200, 401, 403, 500, etc.) — the result of processing
a request.

Log analysis and detection of suspicious events


Suspicious events in logs

A lot of requests in a short time. Frequent requests with different codes


(for example, alternating 401 and 200).

How to detect suspicious events in logs?

Requests with unusual parameters or Access to the administrative pages


long strings. /admin, /login, /wp-admin.

Log analysis and detection of suspicious events


HTTP request methods

GET POST PUT, DELETE HEAD

requesting data (for sending data (for getting headers


changing data on
example, opening a example, account without a response
the server
web page) login) body

Log analysis and detection of suspicious events


Analyzing HTTP codes using the examples
Request for an existing page:
192.168.1.101 - - [07/Mar/2025:12:15:10 +0000] "GET /index.html HTTP/1.1" 200

200 OK → The page was successfully loaded.

Request for a page that doesn't exist:

192.168.1.101 - - [07/Mar/2025:12:16:00 +0000] "GET /secret.html HTTP/1.1" 404

404 Not Found → The page was not found.

Server error when loading the page:

192.168.1.101 - - [07/Mar/2025:12:17:30 +0000] "GET /profile HTTP/1.1" 500

500 Internal Server Error → The error is on the server side.

Log analysis and detection of suspicious events


Password guessing attempts

How to detect password guessing attempts?

Multiple POST requests to the login page

Alternating of 401 Unauthorized and 200 OK codes

Same IP address for multiple failed login attempts

Log analysis and detection of suspicious events


Suspicious activity in logs
(analysis is given in the example)
Let's say there are such records:
192.168.1.50 - - [07/Mar/2025:12:30:00 +0000] "POST /admin/login HTTP/1.1" 401
192.168.1.50 - - [07/Mar/2025:12:30:10 +0000] "POST /admin/login HTTP/1.1" 401
192.168.1.50 - - [07/Mar/2025:12:30:20 +0000] "POST /admin/login HTTP/1.1" 401
192.168.1.50 - - [07/Mar/2025:12:30:30 +0000] "POST /admin/login HTTP/1.1" 200

Analysis:

● Several consecutive failed login attempts (401 Unauthorized).


● At the end, successful authorization (200 OK).
● There was probably a password guessing (brute force) attack.

Log analysis and detection of suspicious events


Brute force attacks and their attributes
Brute force is a method of guessing passwords by repeatedly attempting to log in.

Attributes in logs:

● Multiple consecutive POST /admin/login requests with the 401 code.


● Same IP address (for example, 192.168.1.50).
● Successful login after multiple failed attempts (200 OK).

Example of a real brute force log:

192.168.1.50 - - [07/Mar/2025:12:30:00 +0000] "POST /admin/login HTTP/1.1" 401


192.168.1.50 - - [07/Mar/2025:12:30:10 +0000] "POST /admin/login HTTP/1.1" 401
192.168.1.50 - - [07/Mar/2025:12:30:20 +0000] "POST /admin/login HTTP/1.1" 401
192.168.1.50 - - [07/Mar/2025:12:30:30 +0000] "POST /admin/login HTTP/1.1" 200

Conclusion: successful password guessing.

Log analysis and detection of suspicious events


SQL injections and their attributes
Inserting SQL code into request parameters.

Attributes in logs

Queries with OR '1'='1' or UNION SELECT

Server errors (500 Internal Server Error)

Long lines in URL parameters

Example of a log with SQL injection:

192.168.1.99 - - [07/Mar/2025:12:40:10 +0000] "GET /login?user=admin' OR '1'='1'--&pass=123 HTTP/1.1" 500

Log analysis and detection of suspicious events


XSS attacks and their attributes

Embedding malicious JavaScript code in the page.

Attributes in logs

Requests with <script> or onload=

Unusual URL parameters with the 200 OK code

Log analysis and detection of suspicious events


ARP-spoofing and its attributes
An attack that spoofs MAC addresses on a local network.

Attributes in logs

IP and MAC address discrepancies in network logs

Dramatic increase in network traffic

Log analysis and detection of suspicious events


Meaning of HTTP response codes
Let's combine the values of all HTTP response codes into a table

2xx 4xx 5xx


3xx (redirections)
(successful requests) (client errors) (server errors)

200 OK – the request 401 Unauthorized – 500 Internal


has been successfully authentication is Server Error –
processed required internal error

301 Moved
403 Forbidden –
Permanently – the
201 Created – a new access is denied 503 Service
page has moved
resource has been Unavailable – the
created 404 Not Found – server is unavailable
page not found

Log analysis and detection of suspicious events


Log analysis tools

Linux commands: Graphical interfaces:

● grep – searching of logs ● ELK Stack (Elasticsearch,


● awk, sed – processing of strings Logstash, Kibana)
● tail -f /var/log/access.log ● Splunk
– real-time viewing

Log analysis and detection of suspicious events


Manual log analysis
What should we pay attention to?

The alternation of Suspiciously high


successes and Requests with
activity from a
failures in logs unusual parameters
single IP

Log analysis and detection of suspicious events


General protection recommendations

Use two-factor authentication (2FA)

Limit the number of login attempts

Automatically block suspicious IP addresses

Provide real-time monitoring of logs

Log analysis and detection of suspicious events


Summary and key conclusions

● Logs allow you to identify attacks and errors.


● HTTP codes provide information about what is happening.
● Hacking attempts can be detected by analyzing the logs.
● Using the monitoring tools increases security.

Log analysis and detection of suspicious events

You might also like