What information from HTTP logs can be used to find a threat actor?
A. referer
B. IP address
C. user-agent
D. URL
What information from HTTP logs can be used to find a threat actor?
What information from HTTP logs can be used to find a threat actor?
A. referer
B. IP address
C. user-agent
D. URL
A. referer – not reliable, in example when direct visit
B. IP address – there’s no IP address in HTTP log
C. user-agent <- that's correct answer
D. URL – this will only show you which UL was visited, not who did it
It has to be answer “B”
Take a look at this link
https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
I think the answer i B.
https://www.lookingglasscyber.com/blog/threat-intelligence-insights/what-can-osint-tell-you-about-a-threat-actor-in-30-minutes-or-less/
Answer is IP Address
C is the answer
https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874
And how is this information going to help you to find threat actor? There is for sure only few users in the world running Mozilla/5.0 (X11; U; Linux i686; en-US) Gecko Ubuntu/9.10 (karmic) Firefox/3.5.1 web browser. Not even talking about fact you can completely made this information up. Good luck searching other logs for this information, for example your firewall.
https://isc.sans.edu/forums/diary/The+Importance+of+HTTP+Headers+When+Investigating+Malicious+Sites/10279/
Answer = C
Sorry guys discard everything i just Said. Im a bit confused
B because:
The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.
It wont show you who.
ON the other hand IP address can give you more information about a host
wait guys i think it maybe Referer
The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.
In the most common situation this means that when a user clicks a hyperlink in a web browser, the browser sends a request to the server holding the destination webpage. The request includes the referer field, which indicates the last page the user was on (the one where they clicked the link).
Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
Source: https://en.wikipedia.org/wiki/HTTP_referer
I was leaning towards B but have looked up referer myself too. In this example of HTTP logs, a referer would be a key variable and this is our threat actor. I believe IP address is a pitfall answer and this actually is the source IP not destination. Going with B on this one.
*correction* Going with Nemo’s A – if there were choices it would be both of these answers but if we can only pick on, then Referer
Answer is B