Cysky Log Analysis
layout: post title: ‘CySky: Log Analysis’ date: 2025-05-08 09:54 -0700 description: CySky Notes Log Analysis image: path: ../assets/img/site_images/cysky/cs_0r2.png alt: CySky Log Analysis category: [CySky] tags: [notes, cysky, cybersecurity, log analysis, bash, cyberchef, epoch convertor ]
Log Analysis
Challenges
- SSH (easy) n/i
- Nginx (Medium)
- History (Medium)
- Squid (Hard)
- Payments (Hard)
- VSFTPD (Easy)
- Login (Easy)
- Custom File Format (Hard)
Main Tools
The main tools used in these challenges:
- bash (Squid)
- CyberChef (Custom File Format)
Squid
Analysis of Squid proxy log
Tools used
- bash
Process
Download the file named squid_access.log. We can use bash commands to analyze the file, starting with cat squid_access.log.
In what year was this log saved?
From the above
cat, the log timestamps are given in Epoch time. Using EpochConverter www.epochconverter.com with an input of “1286536308”, we can find the start year:
2010
Using various bash commands, we can extract data from the logs. For example:
- Extracts the second column (time elapsed) and sorts it:
cat squid_access.log | awk '{print$2}' | sort -nawk '{print$2}' squid_access.log | sort -n
- Extract the third column (URLs) and return count of uniques:
cat squid_access.log | awk '{print$3}' | sort | uniq | wc -lawk '{print$3}' squid_access.log | sort -u | wc -l
- How many GET requests were made?
awk '{print$6}' squid_access.log | grep 'GET' | wc -l
How many milliseconds did the fastest request take?
Using this command extracts the second column and sorts it:
cat squid_access.log | awk '{print$2}' | sort -n | head -n 1OR//awk '{print$2}' squid_access.log | sort -n | head -n 1
5milliseconds
How many milliseconds did the longest request take?
Similar to previous, except reverse
cat squid_access.log | awk '{print$2}' | sort -rn | head -n 1OR//awk '{print$2}' squid_access.log | sort -rn | head -n 1
41762milliseconds
How many different IP addresses did the proxy service use?
awk '{print$3}' squid_access.log | sort -u | wc -l
4
How many GET requests were made?
awk '{print$6}' squid_access.log | grep 'GET' | wc -l
35
How many POST requests were made?
awk '{print$6}' squid_access.log | grep 'POST' | wc -l
78
What company created the antivirus used on the host at 192.168.0.224?
cat squid_access.log | grep '192.168.0.224'
Norton / Symantec
What URL is used to download the virus definitions?
cat squid_access.log | grep '192.168.0.224'
hxxp://liveupdate[.]symantecliveupdate[.]com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip
Custom File Format
Analysis of logs from a custom file format
Tools used
- CyberChef
Process
We are given a custom log in the SKY log file format. Per CySky:
Download the file named Custom File Format.sky.
In what year was this log saved?
``