Firewall Logs
(OBJ 4.9)
Standard firewall log example
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724184458.png)
- Note all the sources are the same
- The internal destination server is all the same as well
- Note every single one of these is Blocked
- The Source Port is a random high number port incrementing up one each time
- Remember these high number ports are being chosen by the OS when they're making an outbound connection to a remote server.
- The first port the source IP tries is port 22, then it tried port 80, then 443, then 8080, 23, 21, etc.
- Each one is being blocked
- This looks exactly like a Port Scan
- Our firewall is detecting it and blocking it because all these ports are ones that are closed to the outside world on this particular network.
Web application firewall log
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724184944.png)
- Web server at 192.168.10.50 being connected to by a source IP, which is our remote attacker, at 58.33.123.101.
- It is using a GET method and the URL or web address that's being accessed is everything after that
//index.php?id=1/index.php?id='OR '1'='1' --- ...
- Note the Status code
- 200 = OK status
- The web server returned a response, but the request was blocked by the firewall and so it intercepted that OK code and didn't send it back to the end user.
- 403 = Forbidden status
- Indicates that the server understood the request, but it refuses to authorize it.
- Blocked by the firewall
- 200 = OK status
- In the third entry we got a POST command being used and we're going to
/login.php - The fourth one is a GET command and we're using
/search?q=' DROP TABLE users; --- They're trying to actually drop your SQL table
- The fifth line shows a time-based SQL injection
- The last line is actually trying to gather information about the database by injecting an SQL command into it and counting the entry in the database system tables.