Syhunt Forensic: Getting Started
The information in this document applies to version 7.0.13 of Syhunt Forensic.
Introduction
Syhunt Forensic, formerly known as Syhunt Insight, is a powerful tool designed to investigate and prevent security breaches by providing rapid analysis of web application compromises. It accurately identifies the source, type, and methods used in attacks, helping organizations quickly address vulnerabilities and defend against cyber threats.
Syhunt Forensic is a complementary tool designed to work alongside Syhunt's Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools. It is not a stand-alone product; instead, it enhances Syhunt's security ecosystem by focusing on post-incident analysis and breach investigation. While Syhunt's DAST and SAST tools proactively identify and address vulnerabilities during development and deployment, Syhunt Forensic provides detailed insights into attacks that have already occurred. This comprehensive approach ensures a well-rounded security posture, addressing both prevention and response.
How to perform a forensic scan
Syhunt Forensic is specifically designed to analyze and reconstruct attack sessions using logs generated by popular web servers such as Apache, Nginx, Lighttpd, and IIS. It relies on the detailed information these logs provide to accurately differentiate between legitimate and malicious traffic, as well as to identify the characteristics of automated versus manual attacks. As a result, the tool requires access to these types of web server logs to function effectively and deliver precise breach investigations and session reconstructions.
Supported Web Server Log Formats
Apache |
Nginx |
Microsoft IIS |
Lighttpd |
Follow along with this guide to learn how to perform a forensic scan.
- Launch Syhunt Hybrid and click the Syhunt Forensic icon or New Scan button in the welcome page.
- Select a web server log file to scan, usually this a file with .log extension such as access.log or a file starting with access_log and no fileextension.
- Wait for the scan to complete.
At the end of a scan, you will get the status of the log, which will be one of the following:
- No attacks (green colored), if no application security attacks have been identified in the log
- Attack Attempts Found (orange colored), if there are signs of possible attacks without confirmed breach.
- Breached (red colored), if there are signs of possible attacks AND indication of a successful breach.
You can click the Save Results button in the toolbar to save the list of attempted attacks.
Session Reconstructor
Syhunt Forensic scans web server logs to reconstruct entire attack sessions. It precisely distinguishes between legitimate and malicious traffic, further differentiating between automated and manual attacks. This detailed reconstruction aids in understanding the full scope of an incident.
To reconstruct an attacker's session:
- Double-click an item from the identified list of attacks
- In the bottom bar, click the View All Requests button.
- A new tab will open. Wait for the session reconstruction to complete.
Exporting Attacker List
Syhunt Forensic allows for the export of a list of IP addresses identified as belonging to attackers. This exported list can be used to harden your organization's firewall rules by creating new blacklists. By doing so, you can proactively block these malicious IP addresses and prevent future attacks from the same sources.
After the scan ended, click the file icon (as shown below) and then Save Attacker List menu option to save the list of IP addresses that performed attack attempts against the server to a file.
Excluding IP Addresses from the analysis
If you need to ignore specific IP addresses:
- Click the Preferences button, as shown below.
- Go to the Exclusions tab
- Click the Source IPs button
- Add the IP addresses you want to ignore or import them from a file
- Click OK to save the list
- Click OK to close the preferences dialog and save the preferences
- Finally, repeat the scan.