One of the things I always bitch about when teaching web application security is the fact that log4j (and all its implementations in other languages) don’t have a “security” log level. How can you have a plan for security auditing if your log messages are spread out across all the different security levels and among all the noise generated by your application? The log files are already more incoherent than WWF trash talk, but at least with a “security” log level we can “filter” our security messages to facilitate some useful incident response.

So during my most recent class at the OWASP conference my new friend Roman Hustad burned half a calorie typing “creating a new log level in log4j” into Google and figured out how I could create a solution to all my whining. It was one of those moments where I realized that I had been bitching for so long that I forgot to ever try to fix the problem myself. So, to make it up to all the students who had to put up with my bitching, here you go. Here’s how you add a SECURITY log level to log4j complete with documentation and test cases.

While we’re on the subject of logging/IR, I was talking to some people at the conference about the use of Tor to anonymize all layer 7 attacks. There’s a lot of people parroting the idea that the source IP is useless because it can be spoofed. If I’m doing IR, spoofing is the last thing I’m thinking about. Spoofing an IP is fairly difficult for what’s usually not a whole lot of gain. Let’s take a step back and think about the different ways an attacker could hide the source of their attack:

  • By bouncing traffic off a public/misconfigured HTTP proxy
  • Launching the attack without hiding its source, at the tail end of a chain of compromised hosts (think that’s hard? go scan a 3rd world country for PHF vulnerabilities, circa 1996)
  • An anonymizing system like Tor or the old Freedom NET
  • IP spoofing

Which of these do you think an attacker with half going to do? Anyway, I got the feeling some people took away the idea that it was useless to log the source IP, which wasn’t my intention at all. That’d be like the Attorney General telling the police commissioners – “Listen, people can wear gloves when they stab/shoot/rape/donkey punch each other, so there’s no use in collecting fingerprints.” Not at all. That’s right, I just likened myself to the Attorney General. So, in conclusion, an attacker who has more than half a brain and the ability to use Google is going to make himself untraceable, but routine police work solves a lot of crimes.