Web Server Logs
- typically configured to log HTTP traffic that:
- encounters an error
- or traffic that matches some predefined rule set
- This can preserve indicators of attempted and successful replay, forgery, and injection attacks
- status code of a response can reveal info about the request and the server’s behavior
- 400 range indicate client-based errors
- repeated 403 (“Forbidden”) responses
- may indicate that the server is rejecting a client’s attempts to access resources they are not authorized to
- 500 range indicate server-based errors
- 502 (“Bad Gateway”) response could indicate
- that communications between the target server and its upstream server are being blocked
- or that the upstream server is down
- some web server software also logs HTTP header information for both requests and responses
- can provide a detailed picture of the makeup of each request or response