SOCC04 - Server Log Analysis
Server Analysis
- Enable logging and be sure you have a way to analyze them
- It's important to run attacks against your own servers to make sure the correct logs are being generated
- CIS Benchmarks
- Secure configuration guidelines for tons of devices
- Linux
- Linux will condense logs to help prevent log overflow(example below)
Failed password for root from x port ymessage repeated 8 more times [Failed password for root from x port y]
- HOWEVER, some SIEMs don't record it correctly
- Linux will condense logs to help prevent log overflow(example below)
- Read the Farking Manual
- Reading the manual will make you a super hero
- Most people do second-hand learning only, not primary
- If you take the time to analyze the RAW[1], your analysis won't be derivative
- Identify what's important
- What are the key configs?
- Files, Tables, GUI
- What are the key processes?
- Ping, Port, Parse
- Where does it store users?
- Files, tables, GUI
- What are the core ports to be open?
- Where are the logs stored or sent?
- What are the key configs?
- Reading the manual will make you a super hero
Lab: Firewall Logs
Rules As Written ↩︎