Apache2
Last updated
Was this helpful?
Last updated
Was this helpful?
Goal: Detect abnormal patterns in an Apache2 log files (
/var/log/apache2/).
The access.log file periodically backs itself up (e.g. access.log.1). Its structure can be seen below (Figure 1) and the documentation can be found .
It is good practice to clear the access.log filebefore conducting an examination, so we can isolate the traffic we are trying to observe (requires root).
Below is the log file generated from a single browser connection to the web server's homepage (index.html) (Figure 2). This is considered as 'healthy' traffic.
Below are the logs from when clicking on a page which contains an image (Figure 3). It technically counts as 2 downloads; one for the page itself (pg1.html) and another one for the the image (image1.html). This is also considered as 'healthy' traffic.
Attacking, i.e., spidering, with ZAP, generates a large volume of log lines. There were just 4 lines before, but not there are 1544 more lines.
We can use bash to extract useful information from the log file, such as unique IP addresses.
A large amount of requests originating from a single source can be an indicator of an attack.
However, a large request volume along is not enough to confirm abnormal usage. We can check has fast these requests were made, i.e., how many requests per second were generated (Figure 4).
We can also identify the most common User-Agent strings (Figure 5).
Notice that we have 3 different User-Agent strings, but just 2 IP addresses. This is because the ZAP tool, changed its User-Agent for some of its tests.
We can also check the OSs (Figure 6).
User-Agent strings.
