AWSTATS LOG ANALYZER Keeping up with Web Logs
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AWSTATS LOG ANALYZERKeeping up with Web Logs
AWStats
Supports HTTP as well as FTP and Mail logs IIS and Apache Complete list at end of presentation
Runs on Windows and Linux System Requirements
PERL 5.0 or greater
Useful Features
Summary of # visitors, # visits, pages, hits, bandwidth
Monthly, Daily, and Hourly traffic graphs Visitors listed by frequency Counts: file type, downloads, and URL-pages Status code counts
Link to view 404 Not-Found log entries Useful Plug-ins
Hostinfo Raw Log Search
Screenshot
Daily Trend
Top Visitors
Downloads
URLs Visited
HTTP Status Codes
404 Report
Hostinfo Plugin
Used to get Whois information about visitor
Will display information in a new browser window
Useful to determine origin of unresolvable Ips
Ex: 121.254.193.202 had over 1,500 hits to our site
Click on ? Link in the Hosts (Top 10) table
Hostinfo Plugin - Whois
Raw Log Search Plugin
Puts search form at top of report page
Will search and display contents of the “current” log
Allows PERL regular expression searches
Useful to search for suspicious traffic
Search for visitors…
Error codes…
Suspicious patterns…
More suspicious patterns
Caveat Emptor!
XSS attacks will be reflected in log!
•Don’t have other sites open using same browser
•Use dedicated system/vm for log review
Why I like it
It’s Free! Active project = revisions and
improvements Multi-platform support Easy to set up and get going Provides at-a-glance view of web
activity Plugins available to provide
additional functionality
Notes
Log formats supported Apache common log format (see Note*),
Apache combined log format (known as NCSA combined log format or XLF or ELF format),Any other personalized Apache log format,Any IIS log format (known as W3C format),Webstar native log format,Realmedia server, Windows Media Server, Darwin streaming server,ProFTPd server, vsFTPd server,Postfix, Sendmail, QMail, MdaemonA lot of web/wap/proxy/streaming servers log format
Notes - continued
Search pattern for visitor 123.125.67.181.*08/Jan
Search for error codes “ 400 “
Search for suspicious patterns URL w/ at least 4 encoded chars
GET.*(%[0-9a-fA-F]{2}){4}\S* HTTP Embedded hex
GET \S*(\\[xX][0-9a-fA-F]{2}) Reverse directory traversal
GET \S*(\.\.\/){2} Injection attacks
GET \S*(select\(|SELECT\(|--|1=1|\/\*|\|)
References
AWStats Home http://awstats.sourceforge.net http://
awstats.sourceforge.net/docs/index.html ASCII Table
http://www.asciitable.com/ Injection attack patterns
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Related Documents
