WEBVTT

00:00.000 --> 00:03.825
>> Hello all, let's
continue our lesson.

00:03.825 --> 00:06.580
In this video, we'll talk
about two log sources.

00:06.580 --> 00:09.175
The first is IPS or IDS,

00:09.175 --> 00:12.910
and the other log source is
Web Application Firewall.

00:12.910 --> 00:16.095
Let's talk about IPS and IDS.

00:16.095 --> 00:19.360
Both detect attacks while IPS,

00:19.360 --> 00:21.280
which means intrusion
prevention system,

00:21.280 --> 00:23.710
can detect and
block the attacks.

00:23.710 --> 00:26.665
IDS or Intrusion
Detection System

00:26.665 --> 00:28.645
only detects the attack.

00:28.645 --> 00:30.280
Both work in the same way,

00:30.280 --> 00:31.750
but IPS is between

00:31.750 --> 00:34.615
the communication so it
can block the attack.

00:34.615 --> 00:37.480
IDS only listens to the traffic.

00:37.480 --> 00:39.940
Since IDS is not
between the source

00:39.940 --> 00:41.034
>> and the destination,

00:41.034 --> 00:43.265
>> it cannot block the attack.

00:43.265 --> 00:46.020
Now, maybe you're thinking,

00:46.020 --> 00:48.180
why should I use IDS?

00:48.180 --> 00:50.450
IPS can block and IDS

00:50.450 --> 00:53.355
cannot block so it's
better to use an IPS.

00:53.355 --> 00:55.565
IPS is a component.

00:55.565 --> 00:58.310
In some environments, it's
actually not allowed to

00:58.310 --> 01:00.950
use IPS because it can
delay the communication.

01:00.950 --> 01:03.835
But it's still important
for detecting attacks.

01:03.835 --> 01:06.185
As soon as the IDS
detects the attack,

01:06.185 --> 01:07.910
it can send the alert
to a SOC analyst

01:07.910 --> 01:09.335
or to a network component.

01:09.335 --> 01:12.905
It's better to have at
least an IDS than nothing.

01:12.905 --> 01:15.950
Snort is an open source
software that can

01:15.950 --> 01:18.695
be used as IPS or IDS.

01:18.695 --> 01:21.230
Let's analyze some Snort logs.

01:21.230 --> 01:24.320
Some information is
easy to identify.

01:24.320 --> 01:25.850
You can easily identify

01:25.850 --> 01:28.415
some attacks,
cross-site scripting,

01:28.415 --> 01:30.965
brute force, SQL injection,

01:30.965 --> 01:33.890
vulnerability, and
malicious user agents.

01:33.890 --> 01:36.440
You can also identify
some well-known fields

01:36.440 --> 01:38.090
like date and time and

01:38.090 --> 01:40.890
the source and
destination IP address.

01:40.900 --> 01:44.735
There are many other
IPS and IDS softwares.

01:44.735 --> 01:46.910
Each will have its logs,
but with most of them,

01:46.910 --> 01:48.740
>> you're given information
about the attack

01:48.740 --> 01:50.844
>> and you have the key fields.

01:50.844 --> 01:52.160
>> It's important to know

01:52.160 --> 01:54.664
>> that another
IPS-like log source,

01:54.664 --> 01:57.365
>> can help you to
identify the web attack.

01:57.365 --> 01:59.180
As you can see, it can

01:59.180 --> 02:01.415
identify which attack
was performed.

02:01.415 --> 02:05.335
It can make the life of a
SOC analyst much easier.

02:05.335 --> 02:10.695
Next, let's talk about the
Web Application Firewall.

02:10.695 --> 02:14.465
IPS and IDS analyze
all types of traffic

02:14.465 --> 02:16.745
and Web Application Firewalls

02:16.745 --> 02:19.100
analyze the Web
Application Traffic.

02:19.100 --> 02:22.640
That's why IPS and IDS is
more related to the network

02:22.640 --> 02:24.410
and Web Application Firewall is

02:24.410 --> 02:27.220
more related to
web applications.

02:27.220 --> 02:29.535
Like IPS and IDS,

02:29.535 --> 02:31.100
a Web Application
Firewall can be

02:31.100 --> 02:33.155
deployed in the middle
of the communication.

02:33.155 --> 02:34.250
Because of that,

02:34.250 --> 02:36.600
>> it has the capability
to block the attack.

02:36.600 --> 02:37.850
>> But like IDS,

02:37.850 --> 02:40.810
it can also be made to
only detect the attacks.

02:40.810 --> 02:43.400
There is an open-source
web application file

02:43.400 --> 02:44.850
called ModSecurity.

02:44.850 --> 02:48.735
Let's see the Web
Application Firewall Logs.

02:48.735 --> 02:50.280
It's a big log.

02:50.280 --> 02:52.529
>> But don't be scared.

02:52.529 --> 02:54.680
>> Spend some time
analyzing this log.

02:54.680 --> 02:56.180
Look for some known fields or

02:56.180 --> 02:58.220
any information that
you think is important.

02:58.220 --> 02:59.570
If you want, pause the video.

02:59.570 --> 03:02.434
>> Later, we'll analyze
this log together.

03:02.434 --> 03:05.030
>> But first, you
can see ModSecurity,

03:05.030 --> 03:07.024
>> and it says that
there is a warning.

03:07.024 --> 03:09.770
>> I hope that you find it
in this part of the log.

03:09.770 --> 03:12.295
Do you remember this attack?

03:12.295 --> 03:15.675
Now check the web
application conclusion.

03:15.675 --> 03:18.470
Web attack/file injection
and, of course,

03:18.470 --> 03:20.810
the well-known fields
like date and time,

03:20.810 --> 03:23.090
the client IP or the attacker.

03:23.090 --> 03:26.210
Here's our server IP
address and the web page;

03:26.210 --> 03:27.710
again, the basic information is

03:27.710 --> 03:29.720
all here, even a conclusion.

03:29.720 --> 03:33.210
This looks like a file
injection attack.

03:33.280 --> 03:35.690
To make things more
clear, let me show you

03:35.690 --> 03:38.030
the web server log
of this attack.

03:38.030 --> 03:40.190
All the fields are here,

03:40.190 --> 03:42.890
IP address, date and time, URL,

03:42.890 --> 03:45.920
the requested file,
the HTTP status code,

03:45.920 --> 03:47.600
and the user agent.

03:47.600 --> 03:50.485
Just looking at the Web
Application Firewall Log,

03:50.485 --> 03:51.800
you can get the attack or

03:51.800 --> 03:54.335
the possible attack almost
with the same information,

03:54.335 --> 03:56.480
but with a conclusion.

03:56.480 --> 03:59.515
Let's see one more example.

03:59.515 --> 04:02.475
Here, we have an SQL attack.

04:02.475 --> 04:05.690
The log is similar, we
have date and time,

04:05.690 --> 04:07.870
the IP address and so on.

04:07.870 --> 04:11.680
Here is the related
Web Server Log.

04:11.900 --> 04:14.235
We have IP address,

04:14.235 --> 04:16.815
date and time, and
other information.

04:16.815 --> 04:19.665
On the previous slide,
we had the get method,

04:19.665 --> 04:21.660
here we have the post method.

04:21.660 --> 04:24.730
Remember that we talked
about post method and that

04:24.730 --> 04:27.830
the web server will not
log the payload contents.

04:27.830 --> 04:29.200
That's why we can't see the

04:29.200 --> 04:31.360
SQL injection in
the web server log.

04:31.360 --> 04:33.970
But since the web
application file

04:33.970 --> 04:35.485
reads the entire packet,

04:35.485 --> 04:40.070
it can identify the attacks
that use post requests.

04:40.080 --> 04:45.295
Some considerations
about IPS, IDS, and WAF.

04:45.295 --> 04:47.350
They helped to identify attacks

04:47.350 --> 04:48.650
>> and protect against them.

04:48.650 --> 04:50.590
>> Both work with
signatures and usually

04:50.590 --> 04:53.205
they already have some
built-in signatures.

04:53.205 --> 04:55.730
Because the web
applications are different,

04:55.730 --> 04:58.715
you do need to make some
adjustments after deployment.

04:58.715 --> 05:00.560
Like any other security tool,

05:00.560 --> 05:03.080
they can be bypassed
and they can cause

05:03.080 --> 05:06.520
some availability issues
because of the false positive.

05:06.520 --> 05:09.590
We used Version 4 of
the IP protocol in

05:09.590 --> 05:12.925
this course and maybe you
heard about IP Version 6.

05:12.925 --> 05:15.620
This will not change
our log analysis

05:15.620 --> 05:18.740
because HTTP is a
top layer protocol,

05:18.740 --> 05:20.915
IP is a lower protocol.

05:20.915 --> 05:26.495
This means that HTTP can
use either IPv4 or IPv6.

05:26.495 --> 05:28.985
This is also true for TCP.

05:28.985 --> 05:31.805
The only difference will
be in the IP fields.

05:31.805 --> 05:34.745
Basically, the IPv4
address is 32 bits,

05:34.745 --> 05:38.150
and IPv6, is a little
bigger, 128 bits,

05:38.150 --> 05:39.519
>> for its address.

05:39.519 --> 05:41.280
>> To make things more clear,

05:41.280 --> 05:44.890
here's an example
of a log with IPv6.

05:45.170 --> 05:46.250
See?

05:46.250 --> 05:48.274
>> The only difference
is the IP address.

05:48.274 --> 05:52.890
>> You can analyze
IPv4 and IPv6 servers.

05:53.300 --> 05:56.940
To finish, a
post-assessment question.

05:56.940 --> 05:59.330
Analyze the log
below and identify

05:59.330 --> 06:01.765
the key fields and
the possible attack.

06:01.765 --> 06:03.855
The attacks are
easy to identify.

06:03.855 --> 06:05.990
The first is a cross-site
scripting attack

06:05.990 --> 06:08.660
and the second and
SQL injection.

06:08.660 --> 06:11.120
For the fields, we
have IP address,

06:11.120 --> 06:12.455
date and time,

06:12.455 --> 06:14.850
URL, and so on.

06:15.050 --> 06:17.790
Now, the video summary.

06:17.790 --> 06:18.950
In today's video,

06:18.950 --> 06:20.690
>> we talked about
other sources of logs.

06:20.690 --> 06:23.135
>> We now understand
two types of attacks,

06:23.135 --> 06:25.340
SYN and HTTP flood.

06:25.340 --> 06:29.105
We also analyzed two
types of logs, IPS/IDS,

06:29.105 --> 06:31.190
and Web Applications Firewall.

06:31.190 --> 06:33.659
>> Another conclusion.

06:33.659 --> 06:36.215
>> Even if we have
different log sources,

06:36.215 --> 06:38.525
many of the same
components can be found.

06:38.525 --> 06:41.420
As soon as you know how to
analyze one type of log,

06:41.420 --> 06:43.705
you can analyze other logs too.

06:43.705 --> 06:46.680
Maybe you have some
doubts, but that's normal.

06:46.680 --> 06:50.240
Always try to find the
important fields in each log.

06:50.240 --> 06:54.810
For our next video, we will
have our course summary.