Detecting Out-of-Band Interactions with Log Analysis and SIEM Tools
Nov 21, 2024
trunc_team

Have you ever come across unusual entries in your web server logs, like these?

GET /v1/avatars/favicon?url=http://xyzabc.oast.pro HTTP/1.1 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"

Or perhaps:

GET /wp-admin/admin.php?page=wc-settings&action=redirect_telcell_form&api_url=https://oast.me HTTP/1.1 "-" "Mozilla/5.0 (Debian; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"

If you’ve seen entries like these and wondered about their purpose, you’re not alone. A closer look reveals external URLs embedded in the requests (e.g., oast.pro or oast.me). These are not just random URLs—they often indicate potential out-of-band (OOB) interactions that might be worth your attention.


Understanding Out-of-Band Interactions

Out-of-band interactions occur when a vulnerability in your system triggers an external request, such as a DNS lookup or HTTP connection to an external server. These interactions are commonly used for:

  • Security testing by penetration testers or internal security teams to identify vulnerabilities.
  • Malicious probing by attackers looking for weaknesses in your website.

For example, tools like Interactsh, an open-source framework for detecting OOB interactions, generate these requests. By examining your logs through effective log analysis and log management, you can identify these activities early and take action.

Why Log Analysis Is Crucial

Unusual patterns in your logs can serve as the first indication of a potential security incident. With proper log management practices and integration with a Security Information and Event Management (SIEM) system, you can:

HTTP Status Codes:
  • A 404 (Not Found) response usually indicates that the request didn’t succeed in finding a vulnerability.
  • A 200 (Success) response, on the other hand, could mean a potential vulnerability was triggered and should be investigated further.
Domains to Monitor:
  • Common Interactsh domains include oast.pro, oast.me, oast.live, and others.
  • Attackers can set up their own domains to bypass filters, so any external URL in your logs could be suspicious.
How SIEM and Log Management Help

By integrating your logs into a SIEM solution, you can automate the detection of potential threats and streamline investigations. For example:

  • Correlate logs across servers to identify patterns of probing or attempted exploits.
  • Filter for requests containing external URLs, which are often associated with OOB tools like Interactsh.
  • Generate detailed reports to track the frequency of these attempts and assess your exposure.
Proactive Log Management Strategies
  • Monitor Regularly: Set up automated alerts in your SIEM for entries containing external URLs or other suspicious behavior.
  • Refine Detection Rules: Customize rules in your SIEM or log management tool to flag requests to domains like oast.pro or unexpected API calls.
  • Patch and Harden Systems: If a request returns a success code (HTTP 200), identify and address the vulnerability immediately.

Out-of-band interactions, as seen in logs with external URLs, are often indicators of vulnerability scans or attacks. Leveraging log analysis, log management, and SIEM tools not only helps you detect these threats but also enables you to respond proactively.

And if you’re not already reviewing your logs regularly, you’re missing out on both security insights and some fascinating patterns. 😉

Logging Guides

We love logs. In this section we will share some articles from our team to help you get better at logging.

Trunc Logging

Logging for fun and a good night of sleep.

  • Real time search
  • Google simple
  • Cheap
  • Just works
  • PCI compliance
Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org

Tired of price gouging
  • Clear pricing
  • No need to guess
  • Real people
  • Real logging

Simple, Affordable, Log Management and Analysis.

14 days free trial. No credit card required.