Skip to main content


Showing posts from January, 2019

Apache log analysis with Sublime Text 3

Analyzing log files is generally a tedious task, especially when you are hunting for anomalies without an initial lead or indication of evil. Trying to remove all the legitimate entries while leaving the malicious entries requires not only knowledge of common attacker techniques and understanding patterns but a flexible tool. In this post, we’re going to cover analysis of Apache Tomcat access logs and Catalina logs using a text editor called “Sublime Text 3” ( The Scenario To make things semi-realistic, i’ve deployed Apache Tomcat on top of Windows Server 2012 with ports 80,443 and 8080 exposed. For now, we’re not going to deploy any apps such as WordPress, Drupal or Jenkins. In our scenario, the customer (who owns this Tomcat server) has tasked our team with analyzing both the Apache and Catalina logs to help identify some suspicious activity.
In many real world cases, web applications are usually in a DMZ on their own, behind a load balancer, inside a do…

Leveraging AWS for Incident Response: Part 2

In my previous post ( we covered how AWS resources such as S3 can be used to quickly spool up storage, lockdown access to this storage and provision users in the AWS console. In this post, we’re going to cover how we can automate this process. Before we began, let’s review some common issues with the previous manual process of using AWS console to provision and manage AWS resources: Time to provision: If you’re new to AWS, using the AWS console to provision the S3 bucket, bucket policy and IAM user account with programmatic access may take ~30 minutes, while those who are more familiar, ~10m.Standardization: When using AWS console, simple copy/paste errors may occur. This may expose the bucket to the wrong customer (or even to the public). Other issues include:Ensuring the bucket names are consistent for all customers. A defined naming convention should be used that is unique for each engagement, as one custo…