Dashboard

Log Analysis

0%

Scenarios Completed: 0/20

CVSS Scoring

0%

Exercises Completed: 0/15

CVE Analysis

0%

CVEs Analyzed: 0/15

Performance Stats

Total Questions Answered: 0
Correct Answers: 0
Accuracy Rate: 0%
Best Streak: 0

Recent Activity

No recent activity. Start practicing!

Log Analysis Practice

How to Complete This Exercise

  1. Click "New Scenario" to load a log sample
  2. Carefully examine the log entries displayed - look for IP addresses, timestamps, status codes, and patterns
  3. Select the type of security event you believe is occurring from the options provided
  4. Answer any follow-up questions that appear
  5. Click "Submit Analysis" to check your answer and see detailed feedback

Tip: Use the difficulty and log type filters to focus on specific areas you want to practice.

Beginner Firewall Log 
Click "New Scenario" to begin analyzing logs...

What type of security event is occurring?

CVSS Calculator Practice

How to Complete This Exercise

  1. Select your preferred CVSS Version (v3.1 or v4.0)
  2. Click "New Vulnerability" to load a vulnerability scenario
  3. Read the vulnerability description carefully
  4. For each metric, select the value that best matches the vulnerability based on the description
  5. Click "Calculate Score" to see your score and compare it to the correct answer

Tip: Use "Free Calculator" mode to practice scoring without a scenario, or to calculate CVSS scores for real vulnerabilities.

Vulnerability Scenario

Click "New Vulnerability" to start a CVSS scoring exercise...

CVSS v3.1 Base Metrics

Exploitability Metrics

Impact Metrics

Your Score: -- --

CVE Analysis Practice

How to Complete This Exercise

  1. Click "New CVE" to load a real-world vulnerability scenario
  2. Read the CVE description, noting the affected products, CVSS score, and vulnerability details
  3. Answer the questions about the vulnerability type, attack vector, and recommended mitigations
  4. Click "Submit Answers" to check your analysis and see the correct responses

Tip: Pay attention to keywords in the description like "remote code execution," "buffer overflow," or "SQL injection" to identify the vulnerability type.

CVE-XXXX-XXXXX

--

Click "New CVE" to start analyzing vulnerabilities...

Study Mode

How to Use Study Mode

  1. Select a topic tab above: Log Patterns, CVSS Guide, CVE Terminology, or Attack Types
  2. Review the reference cards - each contains examples and key indicators
  3. Study the example logs and patterns to recognize them in practice exercises
  4. Use this section as a reference while working through other modules

Tip: Review these materials before attempting the Timed Quiz to improve your scores.

Common Log Patterns

Brute Force Attack

Multiple failed login attempts from the same source IP in a short time period.

Mar 15 10:23:45 server sshd[1234]: Failed password for admin from 192.168.1.100
Mar 15 10:23:46 server sshd[1234]: Failed password for admin from 192.168.1.100
Mar 15 10:23:47 server sshd[1234]: Failed password for admin from 192.168.1.100

Key Indicators: Repeated failures, same username, rapid succession, same source IP

SQL Injection Attempt

HTTP requests containing SQL syntax in parameters or URI.

192.168.1.50 - - [15/Mar/2024:14:23:11] "GET /products?id=1'+OR+'1'='1 HTTP/1.1" 200

Key Indicators: SQL keywords (OR, UNION, SELECT), single quotes, comment sequences (--)

Port Scanning

Multiple connection attempts to different ports from the same source.

Mar 15 11:00:01 firewall DENY TCP 10.0.0.50:45123 -> 192.168.1.10:21
Mar 15 11:00:01 firewall DENY TCP 10.0.0.50:45124 -> 192.168.1.10:22
Mar 15 11:00:01 firewall DENY TCP 10.0.0.50:45125 -> 192.168.1.10:23

Key Indicators: Sequential ports, rapid timing, same source, many denied connections

Privilege Escalation

Attempts to gain elevated access using sudo or su commands.

Mar 15 15:30:22 server sudo: user1 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user1 ; COMMAND=/bin/bash

Key Indicators: Sudoers violations, unauthorized su attempts, privilege change events

Data Exfiltration

Unusual outbound data transfers, especially to unknown destinations.

Mar 15 03:00:00 firewall ALLOW TCP 192.168.1.50:55123 -> 185.123.45.67:443 bytes=15728640
Mar 15 03:05:00 firewall ALLOW TCP 192.168.1.50:55124 -> 185.123.45.67:443 bytes=15728640

Key Indicators: Large data transfers, unusual hours, unknown external IPs, repeated transfers

Denial of Service (DoS)

Flood of requests from single or multiple sources causing service degradation.

Mar 15 12:00:00 webserver [error] server reached MaxRequestWorkers setting
Mar 15 12:00:01 webserver 10.0.0.100 "GET / HTTP/1.1" 503 Service Unavailable

Key Indicators: High request volume, 503 errors, resource exhaustion, same request patterns

CVSS Scoring Guidelines

Attack Vector (AV)

ValueDescription
Network (N)Exploitable remotely via network (e.g., internet)
Adjacent (A)Requires same network segment (e.g., LAN, Bluetooth)
Local (L)Requires local access to the system
Physical (P)Requires physical access to the device

Attack Complexity (AC)

ValueDescription
Low (L)No special conditions required; attack is repeatable
High (H)Requires specific conditions, timing, or preparation

Privileges Required (PR)

ValueDescription
None (N)No authentication or privileges needed
Low (L)Basic user-level privileges required
High (H)Administrative or significant privileges required

User Interaction (UI)

ValueDescription
None (N)Exploit works without any user action
Required (R)User must perform some action (click link, open file)

Scope (S)

ValueDescription
Unchanged (U)Impact limited to vulnerable component only
Changed (C)Impact extends beyond vulnerable component

Impact Metrics (C/I/A)

ValueDescription
High (H)Total loss of confidentiality/integrity/availability
Low (L)Reduced confidentiality/integrity/availability
None (N)No impact to this property

Severity Rating Scale

Score RangeSeverity
0.0None
0.1 - 3.9Low
4.0 - 6.9Medium
7.0 - 8.9High
9.0 - 10.0Critical

CVE Terminology

CVE (Common Vulnerabilities and Exposures)

A standardized identifier for publicly known cybersecurity vulnerabilities. Format: CVE-YEAR-NUMBER

CWE (Common Weakness Enumeration)

A categorization system for software and hardware weaknesses. Examples: CWE-79 (XSS), CWE-89 (SQL Injection)

NVD (National Vulnerability Database)

US government repository of vulnerability data using CVE identifiers, including CVSS scores and references.

Zero-Day

A vulnerability that is exploited before the vendor is aware or has released a patch.

PoC (Proof of Concept)

Code or method demonstrating that a vulnerability can be exploited.

RCE (Remote Code Execution)

A vulnerability allowing an attacker to execute arbitrary code on a target system remotely.

LPE (Local Privilege Escalation)

A vulnerability allowing a user to gain elevated privileges on a system they already have access to.

EPSS (Exploit Prediction Scoring System)

A model that estimates the probability that a vulnerability will be exploited in the wild.

Common Attack Types

SQL Injection (SQLi)

Inserting malicious SQL code into application queries to access or manipulate database data.

Indicators: ' OR 1=1, UNION SELECT, --comment, encoded characters (%27)

Cross-Site Scripting (XSS)

Injecting malicious scripts into web pages viewed by other users.

Indicators: <script> tags, javascript: URIs, event handlers (onerror, onload)

Command Injection

Executing arbitrary system commands through vulnerable application inputs.

Indicators: ; | && characters, command names (cat, whoami, wget)

Path Traversal

Accessing files outside the intended directory using ../ sequences.

Indicators: ../../../, encoded dots (%2e), /etc/passwd, win.ini

Brute Force

Systematically trying all possible passwords or keys until finding the correct one.

Indicators: Multiple failed logins, dictionary words, sequential attempts

Credential Stuffing

Using leaked username/password pairs from other breaches to attempt logins.

Indicators: Failed logins for multiple usernames, varied passwords per user

DDoS (Distributed Denial of Service)

Overwhelming a target with traffic from multiple sources to cause service disruption.

Indicators: Traffic spikes, many source IPs, SYN floods, amplification patterns

Man-in-the-Middle (MITM)

Intercepting communication between two parties to eavesdrop or modify data.

Indicators: Certificate warnings, ARP anomalies, DNS redirects

Timed Quiz Mode

How to Complete the Quiz

  1. Configure your quiz settings: number of questions, time limit, question types, and difficulty
  2. Click "Start Quiz" to begin - the timer starts immediately
  3. Read each question carefully and select your answer before time runs out
  4. Click "Next" to proceed to the next question (or it auto-advances when time expires)
  5. After the final question, view your results and click "Review Answers" to see detailed explanations

Tip: Start with longer time limits and fewer questions, then challenge yourself with harder settings as you improve.

Quiz Configuration