keeping up with web logs. awstats supports http as well as ftp and mail logs iis and apache ...

Post on 16-Dec-2015

217 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

AWSTATS LOG ANALYZERKeeping up with Web Logs

AWStats

Supports HTTP as well as FTP and Mail logs IIS and Apache Complete list at end of presentation

Runs on Windows and Linux System Requirements

PERL 5.0 or greater

Useful Features

Summary of # visitors, # visits, pages, hits, bandwidth

Monthly, Daily, and Hourly traffic graphs Visitors listed by frequency Counts: file type, downloads, and URL-pages Status code counts

Link to view 404 Not-Found log entries Useful Plug-ins

Hostinfo Raw Log Search

Screenshot

Daily Trend

Top Visitors

Downloads

URLs Visited

HTTP Status Codes

404 Report

Hostinfo Plugin

Used to get Whois information about visitor

Will display information in a new browser window

Useful to determine origin of unresolvable Ips

Ex: 121.254.193.202 had over 1,500 hits to our site

Click on ? Link in the Hosts (Top 10) table

Hostinfo Plugin - Whois

Raw Log Search Plugin

Puts search form at top of report page

Will search and display contents of the “current” log

Allows PERL regular expression searches

Useful to search for suspicious traffic

Search for visitors…

Error codes…

Suspicious patterns…

More suspicious patterns

Caveat Emptor!

XSS attacks will be reflected in log!

•Don’t have other sites open using same browser

•Use dedicated system/vm for log review

Why I like it

It’s Free! Active project = revisions and

improvements Multi-platform support Easy to set up and get going Provides at-a-glance view of web

activity Plugins available to provide

additional functionality

Notes

Log formats supported Apache common log format (see Note*),

Apache combined log format (known as NCSA combined log format or XLF or ELF format),Any other personalized Apache log format,Any IIS log format (known as W3C format),Webstar native log format,Realmedia server, Windows Media Server, Darwin streaming server,ProFTPd server, vsFTPd server,Postfix, Sendmail, QMail, MdaemonA lot of web/wap/proxy/streaming servers log format

Notes - continued

Search pattern for visitor 123.125.67.181.*08/Jan

Search for error codes “ 400 “

Search for suspicious patterns URL w/ at least 4 encoded chars

GET.*(%[0-9a-fA-F]{2}){4}\S* HTTP Embedded hex

GET \S*(\\[xX][0-9a-fA-F]{2}) Reverse directory traversal

GET \S*(\.\.\/){2} Injection attacks

GET \S*(select\(|SELECT\(|--|1=1|\/\*|\|)

top related