Quick Forensics Analysis of Apache logs
Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process.
These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results. So you reduce the bandwidth usage, and local resources (memory, CPU, ...)
I had to analyze a huge set of Apache logs (the current one included all the archived ones - for 1 year) and used the following solution: mal2csv[1] (Malformed Access Logs to CSV). As the name says, the main purpose of this tool is to convert an Apache access log into a CSV file (easier to process in some cases) but it has two interesting extra features:
- It deobfuscates encoding (common in web attacks) to humanly readable text
- It checks log entries against the PHPIDS[2] regex rules to identify known malicious requests.
Interesting log entries are stored in separate files for further review.
On the web server, Docker was available. To perform my forensic analysis, I created a Docker image to not pollute the server with extra tools (and deleted after the processing). Simple config:
FROM ubuntu:latest LABEL maintainer="Xavier Mertens <xmertens@isc.sans.edu>" RUN apt update && \ apt install -y git python3 WORKDIR /opt RUN git clone https://github.com/RandomRhythm/mal2csv.git WORKDIR /opt/mal2csv ENTRYPOINT ["python3", "./mal2csv.py"]
Once the image is built, access log files can be analyzed like this (if they are located in a default location for Apache):
# mkdir /var/tmp/results # for F in /var/log/apache2/access.log* do zcat -f $F >/var/tmp/results/$(basename $F).txt docker run -it --rm -v /var/tmp/results:/data mal2csv:1.0 -i /data/$(basename $F).txt -o /data/$(basename $F).txt -d -l -p -r -f done
This loop will process all access.log files one by one, and extract them in /var/tmp/results. For every log, 3 files will be created. Example:
-rw-r--r-- 1 root root 20488876 Mar 28 15:33 access.log.txtLogOutput.Formatted -rw-r--r-- 1 root root 880986 Mar 28 15:33 access.log.txtLogOutput.Formatted.IDS -rw-r--r-- 1 root root 1418806 Mar 28 15:33 access.log.txtLogOutput.Formatted.interesting
The "Output.Formatted" file will contain all events converted in CSV. The two others are more interesting:
The "Formatted.IDS" file will contain a listing of events that match PHPIDS rules:
"24","Detects basic obfuscated JavaScript script injections","GET /config/.env HTTP/1.1" "35","Detects common comment types","GET /phpMyAdmin+++---/index.php HTTP/1.1" "20","Detects JavaScript language constructs","GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" "8","Detects self-executing JavaScript functions","GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1"
The "Formatted.Interesting" file will contain the original events that match a PHPIDS rule. Now, you know where to put more effort in your investigations.
Pretty straightforward to perform a quick first analysis of your logs! Note that mal2csv can also process Microsoft IIS logs (use the "-m" command line switch) and the detection rules are located in two files:
- custom_filter.json
- default_filter.json
Easy to maintain them to add your own rules!
[1] https://github.com/RandomRhythm/mal2csv
[2] https://github.com/PHPIDS/PHPIDS
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments