The Log Analysis Tool Kit  (LATK) version 1.5.4 is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data. LATK can detect beaconing traffic in proxy logs and SQL injection and XSS attempts in web server logs. Often when responding to a security incident, the only files available are web server and proxy server logs. LATK will aid you in detecting odd traffic, such as botnet beaconing and SQL injection attempts. The data available in these files can be overwhelming, but the tools in LATK can be used to parse these files and build a MySQL database for querying.

Installation of LATK is easy to perform with RPMs or DEBs on an OVF (Open Virtualization Format) Virtual Machine. These tools are available for download on the CERT website.

Features

Multiple Log File Format Support

• Proxy Logs: Squid, Bluecoat
• Web Server Logs: Apache, IIS

Beacon Detection
Performs advanced analysis on proxy logs for beacon detection.

System Requirements

• System: Mac OS X, Linux
• Software: Apache, Python 3.x, MySQL

Download

LATK can be downloaded from the CERT Forensics Wiki.

Figure 1: Map of IP Address to Geo Location

Figure 2: SQLi Indicators