WEBVTT 0:00:03.580000 --> 0:00:06.540000 Log Analysis using Linux. 0:00:06.540000 --> 0:00:07.760000 So welcome everyone. 0:00:07.760000 --> 0:00:12.440000 In this video we're going to be, as the title suggests, taking a look 0:00:12.440000 --> 0:00:22.640000 at how to analyze various log files pertinent to Linux using Linux. 0:00:22.640000 --> 0:00:29.460000 And the reason for this may be surprising to you, but as I mentioned, 0:00:29.460000 --> 0:00:32.840000 as I pointed out, when we're taking a look at the modes of log analysis, 0:00:32.840000 --> 0:00:40.340000 apart from using a CIM to identify and analyze logs and have it do the 0:00:40.340000 --> 0:00:42.560000 parsing for you. 0:00:42.560000 --> 0:00:49.200000 You need to be able to get onto a system physically or actively as it 0:00:49.200000 --> 0:00:54.660000 were and find what you're looking for with regards to malicious activity. 0:00:54.660000 --> 0:00:59.220000 So validating the presence of a threat or malicious activity and then 0:00:59.220000 --> 0:01:02.680000 extracting useful information from it. 0:01:02.680000 --> 0:01:07.300000 So the bottom line is that regardless of the environment you're working 0:01:07.300000 --> 0:01:12.160000 in or the tools at your disposal, this is something that is very, very 0:01:12.160000 --> 0:01:14.140000 important to know how to do. 0:01:14.140000 --> 0:01:17.880000 So the focus of this video is to, you know, we're going to be practically 0:01:17.880000 --> 0:01:23.320000 taking a look at how to leverage Linux command line utilities, you know, 0:01:23.320000 --> 0:01:32.040000 like, you know, CAT, grep or et cetera to help us analyze various logs. 0:01:32.040000 --> 0:01:34.800000 So this is a very important thing to do with Linux log files, you know, 0:01:34.800000 --> 0:01:39.260000 specifically authentication logs, et cetera, and sort of made them easier 0:01:39.260000 --> 0:01:44.200000 to understand so that, you know, they're actually readable but more importantly, 0:01:44.200000 --> 0:01:50.380000 we're going to be using those utilities to search for specific information. 0:01:50.380000 --> 0:01:54.760000 So the bottom line is this is something that you should be able to do 0:01:54.760000 --> 0:01:58.880000 now. Linux, it's much easier because again, the log files to a certain 0:01:58.880000 --> 0:02:03.140000 extent are human readable, but they contain a lot of information and, 0:02:03.140000 --> 0:02:08.880000 you know, you will require, you know, skills in firstly identifying the 0:02:08.880000 --> 0:02:13.440000 type of log file that you're currently reading or analyzing, but more 0:02:13.440000 --> 0:02:16.920000 importantly, how to use that information to your advantage in terms of, 0:02:16.920000 --> 0:02:18.100000 you know, using the data. 0:02:18.100000 --> 0:02:25.400000 So you're using a tool like org to limit auto format, the results or what's 0:02:25.400000 --> 0:02:31.420000 in the log file, and then consequently using that to derive information, 0:02:31.420000 --> 0:02:48.080000 you know, or to validate suspicious activity, et cetera. 0:02:48.080000 --> 0:02:51.960000 So if you're using a log analysis using Linux, once you start it up, you 0:02:51.960000 --> 0:02:55.960000 will be provided with access to a Linux system and on the desktop, they're 0:02:55.960000 --> 0:02:59.480000 going to be, you know, folders is going to be a folder that contains the 0:02:59.480000 --> 0:03:03.740000 log files for this demonstration and I'll walk you through this. 0:03:03.740000 --> 0:03:07.200000 This is also documented in the lab documentation. 0:03:07.200000 --> 0:03:10.120000 But with that being said, let's not waste too much time. 0:03:10.120000 --> 0:03:15.960000 I'm going to switch over into my lab environment and I'll see you there. 0:03:15.960000 --> 0:03:19.300000 All right, so I'm currently within the lab environment. 0:03:19.300000 --> 0:03:24.020000 And first things first, I'm just going to open up a terminal and I'll 0:03:24.020000 --> 0:03:28.080000 increase the font size so you can see what I'm doing, something like this. 0:03:28.080000 --> 0:03:33.860000 So the log files are stored on the desktop of the system under module 0:03:33.860000 --> 0:03:39.600000 eight and the lab specifically is lab 25. 0:03:39.600000 --> 0:03:42.320000 So in here, you're going to have three log files. 0:03:42.320000 --> 0:03:45.240000 They're going to be used for different tasks as outlined in the tasks 0:03:45.240000 --> 0:03:47.500000 tab for this particular lab. 0:03:47.500000 --> 0:03:49.580000 We have log identification. 0:03:49.580000 --> 0:03:55.560000 So we need to identify the type of log it is and then extract the IP addresses 0:03:55.560000 --> 0:04:00.120000 and the browsers signature for the clients found. 0:04:00.120000 --> 0:04:03.220000 Task two is going to be about spotting the attacks. 0:04:03.220000 --> 0:04:08.760000 So, you know, using file one dot log, we are going to need to try and 0:04:08.760000 --> 0:04:13.060000 identify the, you know, whether there's any attacks and the types of attacks 0:04:13.060000 --> 0:04:18.320000 being conducted and then task three is about log identification. 0:04:18.320000 --> 0:04:20.720000 But this time using file two dot log. 0:04:20.720000 --> 0:04:26.720000 And then we have still additional log identification, which we'll go through. 0:04:26.720000 --> 0:04:31.460000 So let's get started with task one, which is log identification specifically 0:04:31.460000 --> 0:04:34.500000 pertinent to file one dot log. 0:04:34.500000 --> 0:04:39.300000 So there's many tools, you know, you can utilize when you're getting started. 0:04:39.300000 --> 0:04:44.080000 So, you know, let's say file one dot log, we can use the cat utility. 0:04:44.080000 --> 0:04:48.560000 So cat will pretty much display the entire content of the file on the 0:04:48.560000 --> 0:04:53.080000 terminal. And there's really not it's not really that convenient to navigate. 0:04:53.080000 --> 0:04:55.760000 So you can see this is what it looks like. 0:04:55.760000 --> 0:05:00.980000 And, you know, we can see that this log file indeed contains logs. 0:05:00.980000 --> 0:05:03.500000 Most likely, this is a. 0:05:03.500000 --> 0:05:11.680000 Most likely, this is a web server or, you know, web service log. 0:05:11.680000 --> 0:05:14.240000 So, yeah, most likely a web server log. 0:05:14.240000 --> 0:05:18.460000 And we can, the reason for that is we have, you know, web browser signatures 0:05:18.460000 --> 0:05:22.240000 here or fingerprints as it were so you can see Mozilla Firefox there. 0:05:22.240000 --> 0:05:23.820000 That's the web kit. 0:05:23.820000 --> 0:05:30.040000 And then if we take a look at, yeah, there we are HTTP is HTTP requests 0:05:30.040000 --> 0:05:34.240000 here. We have get requests for various endpoints. 0:05:34.240000 --> 0:05:38.640000 So there we also toys view for dot PHP. 0:05:38.640000 --> 0:05:42.200000 You can also utilize the more utility. 0:05:42.200000 --> 0:05:44.280000 So more file one dot log. 0:05:44.280000 --> 0:05:47.720000 Like so that will allow you to navigate through the log starting from 0:05:47.720000 --> 0:05:53.640000 the top. So pay attention to the timestamps because they're very important. 0:05:53.640000 --> 0:05:58.000000 So the, you know, you have the oldest first and you can enter to, you 0:05:58.000000 --> 0:06:00.280000 know, to go through this. 0:06:00.280000 --> 0:06:05.380000 So the newest are at the bottom, which is where you can then utilize a 0:06:05.380000 --> 0:06:13.140000 tool like tail file one dot log, which will just open up the latest latest 0:06:13.140000 --> 0:06:19.840000 logs there. And you can see that here or you can use a less file one dot 0:06:19.840000 --> 0:06:24.000000 log. Okay, something like this. 0:06:24.000000 --> 0:06:26.080000 And you can see that there. 0:06:26.080000 --> 0:06:30.400000 And if we use tail again, there we are. 0:06:30.400000 --> 0:06:32.300000 So you can see that there. 0:06:32.300000 --> 0:06:36.820000 Okay, so this is great. 0:06:36.820000 --> 0:06:41.480000 But again, you probably are asking me the same, you know, asking me the 0:06:41.480000 --> 0:06:46.020000 question. Well, yeah, this is kind of hard to, you know, analyze in terms 0:06:46.020000 --> 0:06:50.440000 of firstly understanding exactly what fields we have here. 0:06:50.440000 --> 0:06:54.420000 Because with the scene, as you know, that did that sorting and, you know, 0:06:54.420000 --> 0:06:59.240000 passing for us. But more importantly, how can we, you know, extract useful 0:06:59.240000 --> 0:07:00.920000 information from the logo? 0:07:00.920000 --> 0:07:02.800000 How can we analyze this log? 0:07:02.800000 --> 0:07:08.840000 So the first thing we need to do is to understand exactly what information 0:07:08.840000 --> 0:07:17.500000 is contained in this log file and, you know, we need to sort of analyze. 0:07:17.500000 --> 0:07:22.440000 You know, the fields as it were, but also how the how it's formatted with 0:07:22.440000 --> 0:07:24.040000 regards to the spacing and stuff. 0:07:24.040000 --> 0:07:26.040000 So I'm just going to zoom out a little bit. 0:07:26.040000 --> 0:07:32.300000 And let me use cat file one dot log here and just see whether I can understand 0:07:32.300000 --> 0:07:33.440000 it a little bit better. 0:07:33.440000 --> 0:07:34.840000 So we have the, you know. 0:07:34.840000 --> 0:07:38.740000 Where the traffic is coming from, it appears. 0:07:38.740000 --> 0:07:41.880000 The client IP addresses it were. 0:07:41.880000 --> 0:07:45.260000 And then we have a timestamp right over here in Unix format. 0:07:45.260000 --> 0:07:49.880000 Okay. And then we have the actual request here and the protocol. 0:07:49.880000 --> 0:07:55.680000 It makes sense. And then the response HTTP response code over there as 0:07:55.680000 --> 0:08:05.540000 well. Okay. And then the browser signature fingerprint as it were. 0:08:05.540000 --> 0:08:10.720000 So what information is key to us here? 0:08:10.720000 --> 0:08:12.820000 We want to let's see. 0:08:12.820000 --> 0:08:20.220000 How about we, you know, let's say we wanted to display only the client 0:08:20.220000 --> 0:08:28.120000 IP and the this right over here, the browser fingerprint, right? 0:08:28.120000 --> 0:08:28.940000 So how could we do this? 0:08:28.940000 --> 0:08:34.160000 Well, this is where we can start using or piping output from one command 0:08:34.160000 --> 0:08:36.420000 or from one utility into the other. 0:08:36.420000 --> 0:08:39.820000 So we can say cat file one dot log. 0:08:39.820000 --> 0:08:44.060000 We can then pipe this to a utility called cut and say. 0:08:44.060000 --> 0:08:50.120000 Cut D and we want to get rid of spaces, right? 0:08:50.120000 --> 0:08:59.020000 So. Cut D and then so we want to extract the first and 12 space separated 0:08:59.020000 --> 0:09:03.560000 fields. So. Yeah, they were 12. 0:09:03.560000 --> 0:09:06.320000 If I remember, let me just check that again. 0:09:06.320000 --> 0:09:13.460000 So we have one, two, three, four. 0:09:13.460000 --> 0:09:15.360000 Five six seven. Okay. 0:09:15.360000 --> 0:09:17.420000 So one, two, three. 0:09:17.420000 --> 0:09:24.440000 One, two, three, four, five, six, seven, eight, nine, ten, 12. 0:09:24.440000 --> 0:09:27.220000 Yes. So one of it there. 0:09:27.220000 --> 0:09:33.220000 Feels so that would be one to three. 0:09:33.220000 --> 0:09:35.960000 Let me just count them and confirm. 0:09:35.960000 --> 0:09:38.460000 Okay. So we can actually count them here. 0:09:38.460000 --> 0:09:41.160000 So we have one, two, three, four. 0:09:41.160000 --> 0:09:52.540000 So spaces, so five, six, seven, eight, nine, ten, eleven. 0:09:52.540000 --> 0:09:54.100000 And then 12. Okay. 0:09:54.100000 --> 0:09:55.180000 Yeah. So that's correct. 0:09:55.180000 --> 0:09:59.020000 So what we can do is we want to display the first and last of the IP and 0:09:59.020000 --> 0:10:02.340000 the. Signature fingerprint of the browser. 0:10:02.340000 --> 0:10:05.700000 We can say cat file one. 0:10:05.700000 --> 0:10:12.440000 Not log and then pipe that into cut and then say D spaces delimiters, 0:10:12.440000 --> 0:10:14.260000 you know, the delimit in this case. 0:10:14.260000 --> 0:10:22.940000 We were specifying to cut is a space and then first. 0:10:22.940000 --> 0:10:28.960000 First and 12. So F one and 12 and then pipe that. 0:10:28.960000 --> 0:10:35.740000 And we can then get rid of duplicates by saying or utilizing the sort 0:10:35.740000 --> 0:10:38.420000 utility and we say sort unique. 0:10:38.420000 --> 0:10:41.280000 We hit enter and now we can see it here. 0:10:41.280000 --> 0:10:48.540000 So as you can see, this gives us the client IP and the. 0:10:48.540000 --> 0:10:51.080000 The fingerprint of their browser. 0:10:51.080000 --> 0:10:55.220000 So here we have, you know, coming from the following IP. 0:10:55.220000 --> 0:10:59.080000 We have Google bot Mozilla and SQL map. 0:10:59.080000 --> 0:11:03.340000 Okay. So if you don't know about SQL map, that's a very well known. 0:11:03.340000 --> 0:11:07.240000 Tool or framework that is used to automate SQL injection attacks against 0:11:07.240000 --> 0:11:10.520000 web servers. And we can, yeah, there we are. 0:11:10.520000 --> 0:11:13.740000 We also have a header here telling us Apache. 0:11:13.740000 --> 0:11:16.160000 Okay. So we know it's an Apache web server. 0:11:16.160000 --> 0:11:21.200000 Okay. So still on file one.log, let's move on to task two, which is spotting 0:11:21.200000 --> 0:11:25.500000 attacks, right? Now, given that this is a web server log, you know, it 0:11:25.500000 --> 0:11:27.660000 makes and we've seen SQL map in here. 0:11:27.660000 --> 0:11:31.380000 It makes perfect sense to check for, you know, the most well known web 0:11:31.380000 --> 0:11:33.260000 application attacks. 0:11:33.260000 --> 0:11:38.040000 You know, when whenever you're analyzing or when analyzing. 0:11:38.040000 --> 0:11:40.900000 Web server logs. 0:11:40.900000 --> 0:11:45.720000 So we also saw that request of being made to PHP page. 0:11:45.720000 --> 0:11:49.720000 So the first type of attack would be cross site scripting attack. 0:11:49.720000 --> 0:11:53.260000 And as you know, the most common indicator there. 0:11:53.260000 --> 0:11:58.500000 When you're talking about cross site scripting attacks is the script tag. 0:11:58.500000 --> 0:12:01.120000 So we can say file one.log. 0:12:01.120000 --> 0:12:04.900000 Grab, we can now pipe it to the grep utility, which allows us to look 0:12:04.900000 --> 0:12:07.800000 for strings and we can say script. 0:12:07.800000 --> 0:12:09.580000 We hit enter. Okay. 0:12:09.580000 --> 0:12:11.980000 So we get that there. 0:12:11.980000 --> 0:12:17.280000 But of course we can do a lot better than this. 0:12:17.280000 --> 0:12:21.780000 You know, if we can also let's see, yeah, you can see it right over here. 0:12:21.780000 --> 0:12:22.780000 So the get request. 0:12:22.780000 --> 0:12:28.320000 So products view one.php parameter name is equal to and this is a URL 0:12:28.320000 --> 0:12:32.420000 encoded over here. 0:12:32.420000 --> 0:12:39.280000 So that would be the less than symbol script greater than and then alert. 0:12:39.280000 --> 0:12:41.300000 Yeah. So there have been attacks. 0:12:41.300000 --> 0:12:43.700000 These all came from the following IP. 0:12:43.700000 --> 0:12:48.000000 If we're trying to look for, you know, that's a standard cross site scripting 0:12:48.000000 --> 0:12:51.720000 attack payload. If we're trying to look for payloads pertinent to SQL 0:12:51.720000 --> 0:12:56.740000 injection, then we would use SQL injection related keywords or keywords 0:12:56.740000 --> 0:13:03.200000 used in SQL injection payloads like and so logical or logical operators 0:13:03.200000 --> 0:13:07.660000 like and or one equals one things like this. 0:13:07.660000 --> 0:13:10.420000 So why don't we try this here? 0:13:10.420000 --> 0:13:13.460000 So we can say and and let's see. 0:13:13.460000 --> 0:13:14.860000 There we are. We can actually see it. 0:13:14.860000 --> 0:13:19.200000 So and sleep. So this looks like time based SQL injection just based on 0:13:19.200000 --> 0:13:22.380000 the payload and it's coming from the following IP. 0:13:22.380000 --> 0:13:28.700000 So this is how you can again analyze log files on Linux to identify malicious 0:13:28.700000 --> 0:13:33.100000 activity. And again, there's many reasons why you know you need to do 0:13:33.100000 --> 0:13:35.620000 this or you should learn how to do this. 0:13:35.620000 --> 0:13:37.880000 But you know, we can also. 0:13:37.880000 --> 0:13:42.840000 Yeah, if we take a look at this, we can see there's quite a bit of information 0:13:42.840000 --> 0:13:48.100000 here or quite. Yeah, you can see they're all coming from SQL map, which 0:13:48.100000 --> 0:13:50.160000 means these are based 64 encoded. 0:13:50.160000 --> 0:13:53.840000 So, you know, this would require further analysis in any case. 0:13:53.840000 --> 0:13:56.960000 You can also search for, you know, different. 0:13:56.960000 --> 0:14:01.360000 If we say not just grip and we can say grab all. 0:14:01.360000 --> 0:14:06.160000 There we are. We can also identify some of the other payloads. 0:14:06.160000 --> 0:14:08.540000 Let's see if I can find this here. 0:14:08.540000 --> 0:14:14.300000 So root union. That's a union based payload there. 0:14:14.300000 --> 0:14:17.620000 Yeah, so we want to look for Boolean. 0:14:17.620000 --> 0:14:27.060000 Okay. So this is get union column type. 0:14:27.060000 --> 0:14:29.820000 Okay. And there we are. 0:14:29.820000 --> 0:14:32.920000 So columns just trying to read through it. 0:14:32.920000 --> 0:14:41.180000 And one second. We can actually be more specific by saying grip E. 0:14:41.180000 --> 0:14:44.160000 Let's go ahead and encapsulate that there. 0:14:44.160000 --> 0:14:46.920000 Yeah, so it's not actually highlighting it on the screen. 0:14:46.920000 --> 0:14:48.860000 That's very interesting. 0:14:48.860000 --> 0:14:52.340000 Usually grip, you know, I'll highlight what you're looking for in red 0:14:52.340000 --> 0:14:55.680000 on the screen, but regardless of that. 0:14:55.680000 --> 0:15:04.140000 So union, so root union all select, concat the following and then if null 0:15:04.140000 --> 0:15:08.380000 cast table. Okay. 0:15:08.380000 --> 0:15:12.840000 Yeah. From the following tables. 0:15:12.840000 --> 0:15:16.640000 Okay. That's interesting. 0:15:16.640000 --> 0:15:19.780000 I can see whether that's always been used in any case. 0:15:19.780000 --> 0:15:21.980000 That's, you know, how you can do it. 0:15:21.980000 --> 0:15:26.340000 You can also just be, you know, quite obvious with it and say sequel map. 0:15:26.340000 --> 0:15:30.680000 That'll bring up all logs pertinent to, you know, sequel map being used 0:15:30.680000 --> 0:15:35.840000 to attack this particular web server and the subsequent or the web application. 0:15:35.840000 --> 0:15:38.500000 It's hosting. Okay. 0:15:38.500000 --> 0:15:43.760000 So, let's move on to file to log. 0:15:43.760000 --> 0:15:48.600000 And we, you know, the starting point is to identify the type of log file 0:15:48.600000 --> 0:15:49.300000 we're dealing with. 0:15:49.300000 --> 0:15:52.240000 So we'll say cat file to log. 0:15:52.240000 --> 0:15:59.260000 And okay. So this looks like so we have Unix over here. 0:15:59.260000 --> 0:16:01.040000 No, wait. Hold on a minute. 0:16:01.040000 --> 0:16:07.280000 Unix time. Let me just zoom out so you can see this a little bit better. 0:16:07.280000 --> 0:16:12.000000 Okay. Yeah. That looks like Unix time or time code. 0:16:12.000000 --> 0:16:14.060000 So this looks like. 0:16:14.060000 --> 0:16:22.460000 Yeah. This looks like it's tracking SSH authentication attempts. 0:16:22.460000 --> 0:16:26.900000 So it's not really all thought log per se, but we can see failures, multiple 0:16:26.900000 --> 0:16:33.180000 failures. And over here. 0:16:33.180000 --> 0:16:36.040000 So this one right over here. 0:16:36.040000 --> 0:16:42.580000 Yeah. Okay. So we know the source destination and then the, you know, 0:16:42.580000 --> 0:16:45.380000 version of open SSH. 0:16:45.380000 --> 0:16:47.760000 So this is where we can use a tool. 0:16:47.760000 --> 0:16:54.120000 If we wanted to analyze this, we can use a tool like OCH or AWK, you know, 0:16:54.120000 --> 0:17:00.200000 to, let's say, extract specific fields or to give us, you know, specific 0:17:00.200000 --> 0:17:02.180000 fields that we want. 0:17:02.180000 --> 0:17:10.420000 You know, for example. 0:17:10.420000 --> 0:17:16.400000 So we can go for, let's say, that's, I still need to zoom out so I can 0:17:16.400000 --> 0:17:19.020000 understand how this is formatted. 0:17:19.020000 --> 0:17:20.020000 Just do it again. 0:17:20.020000 --> 0:17:23.740000 Okay. So this we have one here. 0:17:23.740000 --> 0:17:28.600000 Two. So this is the source address and then destination that might be 0:17:28.600000 --> 0:17:30.960000 interesting and the ports, right? 0:17:30.960000 --> 0:17:35.920000 So that would be one, two, three, four, five and six. 0:17:35.920000 --> 0:17:37.980000 Those are the fields we want. 0:17:37.980000 --> 0:17:43.880000 Okay. Okay. So we can use OCH here. 0:17:43.880000 --> 0:17:45.720000 This is going to be a complex script. 0:17:45.720000 --> 0:17:50.580000 It's all it's, it's already been outlined in the lab documentation here. 0:17:50.580000 --> 0:18:00.000000 But what we're looking for here is just those, what we're looking for 0:18:00.000000 --> 0:18:06.280000 because that is, we just want to extract specific fields. 0:18:06.280000 --> 0:18:10.940000 So I'm just going to copy and I'll paste in the OCH script and maybe explain 0:18:10.940000 --> 0:18:13.420000 what it does. So let me just zoom in. 0:18:13.420000 --> 0:18:15.080000 Just give me a second. 0:18:15.080000 --> 0:18:18.900000 Okay. So I've just copied and pasted the OCH script provided in the lab 0:18:18.900000 --> 0:18:24.360000 documentation. So we can see that this, this might be confusing if you 0:18:24.360000 --> 0:18:27.880000 have never used OCH before and I'm just going to try and explain to you 0:18:27.880000 --> 0:18:29.880000 exactly what's going on. 0:18:29.880000 --> 0:18:40.260000 So we're using OCH and we specify right over here file two dot log. 0:18:40.260000 --> 0:18:46.160000 So given that the spacing was tab separate, we know, separated that the 0:18:46.160000 --> 0:18:50.200000 fields are separated with tabs as you saw, not just a single space. 0:18:50.200000 --> 0:18:53.940000 We say F and then T. 0:18:53.940000 --> 0:19:00.720000 So that's what it does there. 0:19:00.720000 --> 0:19:06.060000 Okay. So begin print. 0:19:06.060000 --> 0:19:09.680000 That gets the right over here. 0:19:09.680000 --> 0:19:12.200000 Let me just see how to explain this. 0:19:12.200000 --> 0:19:20.240000 So the begin block when using begin this runs before processing any line. 0:19:20.240000 --> 0:19:21.620000 So it's essentially. 0:19:21.620000 --> 0:19:24.840000 So printf. Okay. 0:19:24.840000 --> 0:19:31.600000 And then, yeah. So essentially printing ahead with the following column 0:19:31.600000 --> 0:19:36.620000 labels. So source IP, source port, destination IP, destination port. 0:19:36.620000 --> 0:19:41.540000 And then it's printing that and that's corresponding to the following 0:19:41.540000 --> 0:19:44.900000 fields or columns as it were. 0:19:44.900000 --> 0:19:50.020000 So for each line in the file, this script will extract the third and fourth 0:19:50.020000 --> 0:19:54.640000 fields. So that would be, you know, source IP in port and then fifth and 0:19:54.640000 --> 0:19:58.540000 sixth fields. That will be the destination IP in port. 0:19:58.540000 --> 0:20:02.420000 So that's why the number here uniquely or accordingly. 0:20:02.420000 --> 0:20:09.480000 And then it'll print this in a table with, you know, consistent spacing. 0:20:09.480000 --> 0:20:13.820000 So if we hit enter right over here, we can see it actually does that. 0:20:13.820000 --> 0:20:16.480000 So we have the all the attempts. 0:20:16.480000 --> 0:20:20.840000 So the source IP, the source port and the destination IP destination port. 0:20:20.840000 --> 0:20:27.340000 But of course, you know, we can make this a little bit more at the end. 0:20:27.340000 --> 0:20:31.800000 You know, you can filter through this and look for specific attempts or, 0:20:31.800000 --> 0:20:35.580000 you know, specific users, all that good stuff. 0:20:35.580000 --> 0:20:44.220000 So with that being said, we can move on to analyzing file three dot log. 0:20:44.220000 --> 0:20:49.160000 So let's go ahead and do that right now. 0:20:49.160000 --> 0:20:51.780000 So I'm just going to say cat. 0:20:51.780000 --> 0:20:53.840000 Well, three dot log. 0:20:53.840000 --> 0:21:00.420000 Okay. So this one, this one is a bit different, but yeah, we can see port 0:21:00.420000 --> 0:21:04.620000 21. So this is most likely an FTP log file. 0:21:04.620000 --> 0:21:22.020000 And we can also analyze this with with org to, you know, pretty much. 0:21:22.020000 --> 0:21:26.640000 You know, tab spacing as it were being used as the delimiter here. 0:21:26.640000 --> 0:21:30.420000 So what we would want is so 123. 0:21:30.420000 --> 0:21:35.220000 So source IP, source port, destination IP destination port. 0:21:35.220000 --> 0:21:39.620000 Right. So the actually hold on. 0:21:39.620000 --> 0:21:43.660000 I think we need that would be. 0:21:43.660000 --> 0:21:54.680000 Let's see. So this would be three, four, five, six, and then seven. 0:21:54.680000 --> 0:22:01.540000 Okay, that would be user and then the password. 0:22:01.540000 --> 0:22:04.940000 So, you know, we can easily just modify. 0:22:04.940000 --> 0:22:09.440000 Or I'll just copy over the the the aux script that's used here. 0:22:09.440000 --> 0:22:12.960000 It's pretty much similar to the one we used previously. 0:22:12.960000 --> 0:22:15.300000 So I'll just zoom in. 0:22:15.300000 --> 0:22:19.800000 Sorry, I'll make the terminal font a little bit larger and then paste 0:22:19.800000 --> 0:22:26.100000 that in here. So now, yeah, that includes the seventh and eighth fields. 0:22:26.100000 --> 0:22:31.160000 So we enter. And now we can see that we have the source IP source port 0:22:31.160000 --> 0:22:36.880000 destination IP destination port the user and the password that was used. 0:22:36.880000 --> 0:22:42.360000 And then of course, you know, you can also pipe this to other tools. 0:22:42.360000 --> 0:22:45.180000 You know, for example, yeah, that's multi. 0:22:45.180000 --> 0:22:47.980000 So we can say sort you. 0:22:47.980000 --> 0:22:51.940000 That should work. 0:22:51.940000 --> 0:22:58.160000 No, we can actually pipe it earlier, but yeah, that's 45. 0:22:58.160000 --> 0:23:04.300000 Yeah. Yeah. So you get the idea, you know, you can analyze this. 0:23:04.300000 --> 0:23:08.100000 However, which way you want, but that said, there's. 0:23:08.100000 --> 0:23:14.080000 All of this activity would be considered malicious or, you know, suspicious. 0:23:14.080000 --> 0:23:18.060000 This is a brute force attack, but the key thing that I wanted to point 0:23:18.060000 --> 0:23:22.000000 out is, you know, log identification identifying, you know, what the log 0:23:22.000000 --> 0:23:26.380000 file represents in terms of the information they're in and then sort of 0:23:26.380000 --> 0:23:31.080000 analyzing how the log is formatted or structured, because again, you don't 0:23:31.080000 --> 0:23:33.100000 have a tool to pass it for you. 0:23:33.100000 --> 0:23:39.580000 And then utilizing some Linux or, you know, really Unix text editing or 0:23:39.580000 --> 0:23:45.720000 text modification utilities to filter or to format the results based on, 0:23:45.720000 --> 0:23:48.460000 you know, predefined criteria criteria. 0:23:48.460000 --> 0:23:53.780000 That criteria being, you know, fields or specific fields that we're interested 0:23:53.780000 --> 0:23:56.840000 in. And this is exactly what a C would be doing. 0:23:56.840000 --> 0:24:02.500000 It's filtering fields that are again relevant to you or relevant to threat 0:24:02.500000 --> 0:24:05.980000 detection and consequently instant response. 0:24:05.980000 --> 0:24:09.560000 With that being said, that brings us to the practical, the end of the 0:24:09.560000 --> 0:24:12.660000 practical demonstration section of this video. 0:24:12.660000 --> 0:24:18.460000 All right, so that was how to, you know, perform log analysis or log identification 0:24:18.460000 --> 0:24:27.320000 and analysis using Linux utilities, you know, text modification utilities. 0:24:27.320000 --> 0:24:29.680000 And hopefully you found that valuable. 0:24:29.680000 --> 0:24:34.380000 As I said, there's a lot more you can do with regards to, you know, said 0:24:34.380000 --> 0:24:37.740000 org, grep, so on and so forth. 0:24:37.740000 --> 0:24:43.340000 And there's plenty of utilities out there that can make this process easier. 0:24:43.340000 --> 0:24:49.820000 Of course, if you're new to org or tools that are similar to org, then 0:24:49.820000 --> 0:24:52.480000 you can definitely perform some more research. 0:24:52.480000 --> 0:24:55.620000 There's a lot of, you know, utilities or services online that can actually 0:24:55.620000 --> 0:24:59.420000 create an org script for you based on the, you know, your requirements. 0:24:59.420000 --> 0:25:02.540000 And so it's not really important that you memorize this, but, you know, 0:25:02.540000 --> 0:25:06.820000 just being familiar or aware of the fact that this can be done and done 0:25:06.820000 --> 0:25:08.400000 relatively easily. 0:25:08.400000 --> 0:25:10.620000 If you know what you're doing is the key here. 0:25:10.620000 --> 0:25:14.240000 So that's going to be it for this video. 0:25:14.240000 --> 0:25:16.980000 And I will be seeing you in the next video.