240 likes | 628 Views
Keeping up with Web Logs. Awstats Log Analyzer. AWStats. Supports HTTP as well as FTP and Mail logs IIS and Apache Complete list at end of presentation Runs on Windows and Linux System Requirements PERL 5.0 or greater. Useful Features.
E N D
Keeping up with Web Logs Awstats Log Analyzer
AWStats • Supports HTTP as well as FTP and Mail logs • IIS and Apache • Complete list at end of presentation • Runs on Windows and Linux • System Requirements • PERL 5.0 or greater
Useful Features • Summary of # visitors, # visits, pages, hits, bandwidth • Monthly, Daily, and Hourly traffic graphs • Visitors listed by frequency • Counts: file type, downloads, and URL-pages • Status code counts • Link to view 404 Not-Found log entries • Useful Plug-ins • Hostinfo • Raw Log Search
HostinfoPlugin • Used to get Whois information about visitor • Will display information in a new browser window • Useful to determine origin of unresolvableIps • Ex: 121.254.193.202 had over 1,500 hits to our site • Click on ? Link in the Hosts (Top 10) table
Raw Log Search Plugin • Puts search form at top of report page • Will search and display contents of the “current” log • Allows PERL regular expression searches • Useful to search for suspicious traffic
Caveat Emptor! XSS attacks will be reflected in log! Don’t have other sites open using same browser Use dedicated system/vmfor log review
Why I like it • It’s Free! • Active project = revisions and improvements • Multi-platform support • Easy to set up and get going • Provides at-a-glance view of web activity • Plugins available to provide additional functionality
Notes • Log formats supported • Apache common log format (see Note*),Apache combined log format (known as NCSA combined log format or XLF or ELF format),Any other personalized Apache log format,Any IIS log format (known as W3C format),Webstar native log format,Realmedia server, Windows Media Server, Darwin streaming server,ProFTPd server, vsFTPd server,Postfix, Sendmail, QMail, MdaemonA lot of web/wap/proxy/streaming servers log format
Notes - continued • Search pattern for visitor • 123.125.67.181.*08/Jan • Search for error codes • “ 400 “ • Search for suspicious patterns • URL w/ at least 4 encoded chars • GET.*(%[0-9a-fA-F]{2}){4}\S* HTTP • Embedded hex • GET \S*(\\[xX][0-9a-fA-F]{2}) • Reverse directory traversal • GET \S*(\.\.\/){2} • Injection attacks • GET \S*(select\(|SELECT\(|--|1=1|\/\*|\|)
References • AWStats Home • http://awstats.sourceforge.net • http://awstats.sourceforge.net/docs/index.html • ASCII Table • http://www.asciitable.com/ • Injection attack patterns • http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/