Filtering with Wireshark and parsing logs with Log Parse Lizard

Recently one of my clients had one of their servers attacked.  The intrusion detection caught it, and I believe a lot of the malicious stuff they were trying were correctly filtered out by asp.net as dangerous requests, but in order to understand more about what was/is going on, I worked with 2 tools to help look at the situation a little deeper.

First, I wanted to look at the live requests coming to the server and see the payloads they contained.  To do this, I installed WireShark on the server, and started to capture traffic.

Wireshark as 2 types of filters: capture filters and display filters.  From the capture side of things, you can really cut down on the noise if you filter out the stuff you don’t care about.  So I used a capture filter of tcp port 80 or tcp port 443

image 

Then, while the capture is running you can type in a display filter so that you can tell if you are getting the specific type of request you are interested in during the current trace.  In this case, I was only interested in http POSTs, so I could use this filter http.request.method == “POST”

image

This way you can let the trace run until you see records start to come through that match both filters.

The other thing I wanted to do was to look at log files to see how the traffic to the site changed over time.  To do this I installed MS Log Parser and the Log Parser Lizard.  With these two tools it allows for a nice UI and SQL queries against the data.  As you can see below, the requests/attacks started at 5:52.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s