|
|
|
|
|
|
|
|
Logs are
imperfect:
|
|
|
|
•Most logs do not store 100% of the information:
|
|
•They may not contain much HTML data since most
info is related to the requested URL.
|
|
•This is what makes WWW-hacking forensics so
hard (at least at the application level).
|
|
•Default configurations are often even more
incomplete (Missing critical fields)
|
|
•HTTP Headers (and cookies among them) are often
configured by default not to be logged. In such cases, all HTTP level
attacks, such as HTTP header overflows,
Cookie poisoning or even the ‘ Microsoft IIS/5.0 “Translate: f” show
source vulnerability’ will not be shown differently than other “valid”
request, because they only differ from “valid” request in their HTTP headers.
|
|
•Special characters may not be displayed
correctly
|
|
One problem with
log file reading, is that it is textual, thus any special characters sent and
logged will not be displayed correctly, such as NULL, CRLF etc… This can help
in Anti-IDS attacks, which aim at confusing the log reader, or the process
monitoring the logs, such as IDS.
|
|
|
|
In order to get
the log file to be as thorough and informative as it could be, one must
remember to turn on all possible log entries, such as date/time, Client IP
Address, Query, all possible HTTP Headers, and if possible (usually it is
not) the Body of the requests.
|
|
|
