LORG – Apache Logfile Security Analyzer

0
0

Web application continue to be the first target to any user as this part of the network is exposed to internet and attacker can use web server to compromise other part of the network such as databases or internal network. If you are looking to investigate web server logs you can use lorg.

LORG (Logfile Outlier Recognition and Gathering) is a tool aimed at security professionals and administrators to simplify the job of finding the ‘needle in a haystack’ (aka vulnerable web application) in the scenario of post-attack forensics. It aims to implement various state of the art approaches to detect attacks against web applications within HTTP traffic logs (e.g. Apache’s access_log), including signature-based, statistical and machine learning techniques.

LORG - Apache Logfile Security Analyzer

LORG – Apache Logfile Security Analyzer

The tool have 2 approach for detecting the web attack the first is signature based detection and learning based detection. Both approach implemented using one of the following three modules:

  1. Match against Regular Expressions PHPIDS
  2. Statistics based on Char Distribution CHARS
  3. Machine Learning based on MCSHMM

Once there is a suspicion of an attack and you have the source IP you will need to start to interact with your web server logs which will allow incident responder to confirm the success/failure criteria depending on the HTTP response codes:

  • 404 unsuccessful scan
  • 401 , 403 unsuccessful login
  • 400 , 408 ,503  denial of service
  • 500 buffer overflow
  • 414 unsuccessful buffer overflow
  • 200 which should be investigated maybe attack succeeded to perform Information Disclosure, File Disclosure or a Compromise

If you will have a prevention device before your web servers such as WAF/IPS or even a router ACL you should find no logs on the web server as the attack were blocked at the edge and this is the recommended solution.

You can read more and download this tool over here: https://github.com/jensvoid/

Share