CySky: Log Analysis

Log Analysis

Challenges

• SSH (easy) n/i
• Nginx (Medium)
• History (Medium)
• Squid (Hard)
• Payments (Hard)
• VSFTPD (Easy)
• Login (Easy)
• Custom File Format (Hard)

Main Tools

The main tools used in these challenges:

• bash (Squid)
• CyberChef (Custom File Format)

Squid

Analysis of Squid proxy log

Tools used

• bash

Process

Download the file named squid_access.log. We can use bash commands to analyze the file, starting with cat squid_access.log.

Initial `cat` of `squid_access.log`

In what year was this log saved?

From the above cat, the log timestamps are given in Epoch time. Using EpochConverter www.epochconverter.com with an input of “1286536308”, we can find the start year:

2010

Using various bash commands, we can extract data from the logs. For example:

• Extracts the second column (time elapsed) and sorts it:
  • cat squid_access.log | awk '{print$2}' | sort -n
  • awk '{print$2}' squid_access.log | sort -n
• Extract the third column (URLs) and return count of uniques:
  • cat squid_access.log | awk '{print$3}' | sort | uniq | wc -l
  • awk '{print$3}' squid_access.log | sort -u | wc -l
• How many GET requests were made?
  • awk '{print$6}' squid_access.log | grep 'GET' | wc -l

How many milliseconds did the fastest request take?

Using this command extracts the second column and sorts it: cat squid_access.log | awk '{print$2}' | sort -n | head -n 1 OR// awk '{print$2}' squid_access.log | sort -n | head -n 1

5 milliseconds

How many milliseconds did the longest request take?

Similar to previous, except reverse cat squid_access.log | awk '{print$2}' | sort -rn | head -n 1 OR// awk '{print$2}' squid_access.log | sort -rn | head -n 1

41762 milliseconds

How many different IP addresses did the proxy service use?

awk '{print$3}' squid_access.log | sort -u | wc -l

4

How many GET requests were made?

awk '{print$6}' squid_access.log | grep 'GET' | wc -l

35

How many POST requests were made?

awk '{print$6}' squid_access.log | grep 'POST' | wc -l

78

What company created the antivirus used on the host at 192.168.0.224?

cat squid_access.log | grep '192.168.0.224'

Norton / Symantec

What URL is used to download the virus definitions?

cat squid_access.log | grep '192.168.0.224'

hxxp://liveupdate[.]symantecliveupdate[.]com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip

_{Back to top}

Custom File Format

Analysis of logs from a custom file format

Tools used

• CyberChef

Process

We are given a custom log in the SKY log file format. Per CySky:

Specification of Custom File Format

Download the file named Custom File Format.sky.

In what year was this log saved?

``

_{Back to top}