Two approaches of investigation
- Web access log
- Web request content
SQLi Activity
Investigate Web access Log
- Large number of request on the same URI in short time span
Investigate Web request content
- PCAP examination for common injection patterns
Automation Enumeration Activity
Investigate Web access Log
Analyzing
- Examine the traffic volume
- Identify the URI
- Observe the status code
- Identify the IP associated with the detected
- Investigate the user agent (e.g. keyword like "Havij" as a label of particular software)
- Correlate with netowrk monitoring tool
Brute Forcing Activity
Characteristics of BF activities
Analyzing
- Examine the access log
- Traffic pattern analysis
- Investigate the target URL/URI
- Identify IP associated with the activity
- Examine the status codes
- Identify the user agents
- Timestamp
- Co-relate with network monitoring tool
File Inclusion Activity
Analyzing
- Examine the access log
- Traffic pattern analysis
- Examine the status codes
- Examine the URI
- Identify IP associated with the activity
- Identify the user agents
- Co-relate with network monitoring tool
Defending against web attack
- SIEM log monitoring
- IDS/IPS
- WAF
Tools
- kitabisa/teler (Real-time HTTP Intrusion Detection)
- Suricata (Open-source WAF)
- Snort
----
Other Blue Team Mind Map
How to Easily Search Windows Event Logs Across Hundreds of Servers - WhatsUp Gold