Questions tagged [log-analysis]
74 questions
0
votes
1 answer
What are the common features to identify Brute-Force attack from Apache log file?
There are various methods to find attack patterns for different types of attacks. Apache-scalp is one such tool, but the rule set is not available to find the brute-force attack pattern via regular expression. I would love to know the different…
![](../../users/profiles/198089.webp)
Uday
- 1
- 4
0
votes
0 answers
Multiple sshd sessions for single SSH login
I was grepping through /var/log/auth.log and noticed that for some reason, not every time, but sometimes when I would log in via SSH I would see entries like the following - where there were multiple sessions opened (at the exact same time) for one…
![](../../users/profiles/84064.webp)
uofc
- 135
- 7
0
votes
1 answer
I need help finding a list or a reference of DLL's for discovering hijacked programs
I am removing malware from my grandpa's Windows computer using the system internals suite. I suspect he has a Trojan which has been making remote connections and downloading a TON of viruses every day.
There are a lot of processes going on and a…
![](../../users/profiles/181846.webp)
William Guerra
- 1
- 1
0
votes
1 answer
Difference between legitimate file transfer vs data exfiltration of confidential files using FTP
I have FTP logs and some other logs assuming that corporate environment is actively monitored. How would I know that user is using ftp to transfer regular file and not using the same to transfer confidential file from an organization.
or in other…
![](../../users/profiles/171568.webp)
Nicz.cool
- 1
- 1
0
votes
1 answer
Historical IP reputation data
I have a firewall log with events from 2 years ago. I want to examine that log as if I was investigating at the time of collection (2 years ago).
However, I would like to use IP address reputation data. But I was not yet able to find a source that…
![](../../users/profiles/168516.webp)
helt
- 101
- 1
0
votes
1 answer
Is this event a security concern: Windows 10: Event 360, User Device Registration?
My computer just froze, and I ended up having to reboot. It appears Windows Defender was coming up with a notification, but that froze as well. I was trying to see what went wrong in the event viewer, and noticed several application hangs (not…
![](../../users/profiles/47692.webp)
Jonathan
- 3,157
- 4
- 26
- 42
0
votes
1 answer
How does a person request gmail.com from my server?
I run a number of websites / web services on NGINX with Ubuntu.
Today I noticed the following line in my rogue.access.log (I have a separate vhost/log file to catch all requests for websites other than ones I'm expecting):
Server: "gmail.com" -…
![](../../users/profiles/126862.webp)
jpl42
- 103
- 1
0
votes
1 answer
Are SIEM and NIDS/HIDS complementary?
I just would like to have your feedback if you were involved with Security Information and Event Management.
From your experience, do we have to add a SIEM to an existing NIDS (snort) and HIDS (ossec)? It seems to be quite huge and expensive to set…
![](../../users/profiles/119321.webp)
phackt
- 1
- 2
0
votes
0 answers
script for analysis of tcpdump log file
I'm trying to get the following metrics from my tcpdump log file:
(1) one-way delay, (2) request/response delay, (3) packet loss, (4) overall transaction duration and (5) delay variation (jitter).
For clarification: transaction duration refers to…
![](../../users/profiles/68045.webp)
MSB
- 266
- 2
- 8
-1
votes
2 answers
Data to be Logged in a Web Application
What data should be logged in a web application?
From all the perspective such as security, user access, data modification, path traveled by a user in application and anything that matters.
![](../../users/profiles/84780.webp)
Ashutosh Singh
- 111
- 1
-1
votes
1 answer
How to determine where an attack came from?
I've noticed sometimes that I'd receive very random requests coming to a live server that I'd be hosting in realtime through my log. It would usually look something like:
[14/Mar/2019 02:05:36] "GET /php/admin HTTP/1.1" 200 2090
[14/Mar/2019…
![](../../users/profiles/201868.webp)
Matt Andrzejczuk
- 99
- 1
-1
votes
1 answer
Access log of someone using different IPs to send the same type of traffic
I have a magento shop system and I read this in my logs:
206.75.231.xxx - - [14/Dec/2017:19:59:11 +0100] "POST /downloader/ HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0"
200.128.35.x - -…
![](../../users/profiles/166215.webp)
Marcel
- 1
- 2
-2
votes
1 answer
Is Private Internet Access (PIA) VPN safe to use?
As said in the PIA website they pretend to have the following VPN features:
PPTP, OpenVPN and L2TP/IPSec
SOCKS5 Proxy Included
No traffic logs
So my question are: Is Private Internet Access VPN safe to use?
Is there any way to check or to be…
![](../../users/profiles/196415.webp)
Ced
- 99
- 6
-2
votes
2 answers
How to get a thorough view of wireless router's logs?
I am trying to attack my wireless router using Kali Linux for learning purposes. When I check the wireless router's logs after a successful attack, it doesn't show me the logs related to attacks which I made. The logs only reveales which devices…
![](../../users/profiles/176015.webp)
hardik joshi
- 11