Following the new “tradition” of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to go along and join the initiative. One of the bloggers called it “pay it forward” to the community.

So, Anton Security Tip of the Day #6: The Other Web Log

We all know that Apache web server has its access_log log files while IIS has its w3c logs. When people think about web log analysis, they think about the above and only about the above logs, often calling them “the web server logs.” However, the other web log - error_log (in case of Apache) - contain a lot of fun and useful info as well. Today’s tip is to encourage the review and analysis of this treasure trough - pardon the idiom - of insight.

So, what goes into the error_log? Well, errors, duh! Why errors matter? ‘Cause errors often present the only indication that a) you are being 0wned or, worse, that b) you’ve been 0wned by the attackers. Additionally, apart from the obvious security usage mentioned above, errors matter since they - or rather, some of them - require actions by the user and thus knowing about them is of huge importance. What is even more striking is that many error messages present an interesting tradeoff - do only a little now to correct the reasons (or, “the root cause” as network management people would say) for the error, or do a whole lot later when the system crashes, gets hacked or “misbehaves” in some other truly spectacular way. Now, a grizzled BOFH would surely say “heh, but who would want to do that! surely, dealing with a dramatic world-ending catastrophe later is more fun that making a minor config fix now.” Well, I sincerely hope not all of my readers are such people :-)

Now, back to the Apache errors; we are going to show a few examples from a live phishing site, run by the attackers on a compromised server. We will start from the obvious - server restart, which actually happened as a result of an attack, in our case.

[Sun Mar 12 04:02:05 2006] [notice] SIGHUP received. Attempting to restart

Did YOU restart the server? No? Two choices then - someone else did (likely without permission!) or the server got restarted automatically for whatever strange reason. You certainly need to be at least somewhat concerned in both cases - thus: look for the above messages.

Here are a few more fun examples - the relevance of those for your business is left as an exercise for the readers, but all of the messages below

[Mon Mar 13 14:54:11 2006] [error] [client 10.10.10.10] Premature end of script headers: index.htm

Does “index.htm” sound like a script to you? It sure should not; and this error message indicates that somebody is trying to run it as a script - a clear indication of malicious behavior. The next message is also similar in this regard:

[Mon Mar 13 14:54:26 2006] [error] [client 10.10.10.10] attempt to invoke directory as script: /var/www/cgi-bin/tcpsupport/

and so is this one:

[Mon Mar 13 14:54:23 2006] [error] [client 10.10.10.10] (8)Exec format error: exec of ‘/var/www/cgi-bin/tcpsupport/main.htm’ failed

Other interesting things spotted on the same server -this one looks like an overflow attack attempt (and, no, the NIDS did not make a squeak about it)

[Thu Mar 19 07:16:11 2006] [error] [client 10.10.10.10] request failed: URI too long (longer than 8190)

So, to conclude, the tips is: when doing web server log analysis, make sure you look at the error logs as well as the access logs.

Also, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.

This piece, even though it borders on being content-free at times :-), has a few fun insights on logging and audits (some painfully obvious to us logging people :-))

For example: “Does the fact that audit logging is enabled satisfy all the different regulatory compliance requirements? […] In all but the most generic cases, the clear answer to this is no.” But of course! Having logs is great, but looking at them is awesome (and sometimes required - see PCI Requirement 10)!

Or this “gem” - “The problem is no one looks at these logs unless something bad happens” which goes straight back to my famous (and old) “Five Mistakes of Log Analysis” paper (an update, called “Six Mistakes of Log Management” is to be published soon) Having a log management solution solves this one nicely.

Or this one: “Audit logging is not just for compliance reasons.” Guess what, every sysadmin worth his salt have known this for, say, 20 years :-)

Overall, the piece is much better at asking questions than giving answers. Seriously, is this true: “What do you log? Do you look at successes and failures? How vulnerable are your logs once they’ve been written? How long do you keep your logs? Only you can answer those questions.” No, there are pretty good answers already given to the questions above. Such answers are given in various regulations (some mentioned in the article) as well as “best practice” and IT governance frameworks, such as COBIT, ITIL and various ISO docs.

Mike Rothman kicks it as well by saying “Kevin Beaver beats the horse a bit too much about why you should log (providing the regulatory context) and not enough perspective on how you should do it.”

In any case, I liked the blurb since it helps to bring awareness of log management to those still hiding from it under their desks…

Here are the results of my security conference poll, as of 11/16/2006 (the results hasn’t changed much since). Which information security conference do you like the most?
		FIRST (46%)
		DEFCON (12%)
		BlackHat (10%)
		SANS (all) (7%)
		Other (7%)
		CanSecWest (5%)
		RSA (4%)
		Gartner IT Security Summit (1%)
		ISACA (0%)
		Security Decisions (ISD) (0%)
		CSI (all) (0%)
		MISTI (all) (0%)
		ISSA (0%)
		TechnoSecurity (0%)
		226 total votes

What are the conclusions:

1. The link to a poll was posted on a FIRST web site. I will let the reader decide the causality here :-)
2. DEFCON/Blackhat still rock!
3. SANS is great as well, presenting a close adjusted (see item 1. above) second after DEFCON/Blackhat
4. Some shows where we usually notice an abundance of fake experts presenting their rants are rated low, as they should be
5. Some Gartner folks blessed the poll with their votes :-) (Hi, Rich!)
6. Looks like I totally failed to spell out some of the popular shows, since Other category is so big (please, please, dear readers, post comments and enlighten me on this)

Obviously, the results reflect the bias of my readership selection, but, at the same time, they are not entirely unexpected…