2

is there any tools that I give it web server log (like Apache web server) and analyze it if there was any attack or not? I don't want to use SIEM.

a.j
  • 21
  • 1

1 Answers1

2

There is benefit to using a full-cycle platform that allows SIEM Engineering (e.g., Splunk ES) and Security Automation (e.g., Splunk Phantom), but these can also be performed using open-source platforms (e.g., HELK for SIEM engineering and Rundeck for Security Automation).

There are many benefits to ATT&CK detection, which may be platform-dependent. For example, Microsoft Sysmon is great for Windows and Windows Server, but no use on Linux or macOS. osquery has many configurations for all 3, but ATT&CK coverage tends to be Windows-only as well. auditd is Linux-only. xnumon is macOS-only, but there's a lot going on there, which even this forum has covered.

It sounds like what you are asking for in this question is not only going to be OS-dependent, but also perhaps Web Server or even Application Dependent. However, there are some standards, such as the NCSA Common Web Server Log format, and loose guidelines.

After-the Fact, there isn't much you can do, but I have seen a few articles cover tools such as apache-scalp. For Apache httpd web server, the access log file(s) are usually in /var/log/apache2/access.log, but can be anywhere (even the config can be anywhere). For Windows Server IIS web server, the log files are usually in \WINDOWS\system32\LogFiles\W3SVC1, but again, can be configured elsewhere. Most databases and other integration points for web applications do not log by default, or their logs are uninteresting for security purposes (but this is not always the case).

If you can install tools or run Python scripts, etc, then you may be off to a good start. If not, then you may be able to bring the logs elsewhere, but then you end up right back at the original Not-Using Splunk problem that brought you here in the first place. Microsoft has a more-official tool for web server / web app log analysis named LogParser which can do cool things, such as:

logparser.exe -i:iisw3c -o:Datagrid -rtp:100 "select date, time, c-ip, cs-uri-stem, cs-uri-query, time-taken, sc-status from C:wwwlogsW3SVCmyserver*.log where cs-uri-query like '%UNION%'"

Apache, Nginx, and IIS web servers tend to only log HTTP GET requests and their associated server response codes. If you want more, then you'll need to turn to additional bolt-on utilities and/or configurations.

For example, for Apache, mod_dumpio has been around since 2009, and mod_security and others were added later to support HTTP POSTs and lengthy server response collection.

proxy_pass or fastcgi_pass lines can be configured for the Nginx web server in order to leverage the $request_body variable.

The Advanced Logging Extension for IIS can be added to Microsoft IIS Server to achieve the same, or better.

atdre
  • 18,885
  • 6
  • 58
  • 107