Day 7

Log analysis ‘Tis the season for log chopping!. This room serves as introduction to Log Analysis

Learning Objectives

• Revisiting log files and their importance.

• Understanding what a proxy is and breaking down the contents of a proxy log.

• Building Linux command-line skills to parse log entries manually.

• Analysing a proxy log based on typical use cases.

This room is straight forward, the commands and instructions are given. We need to put a little thought into how to use those commands and obtain the answers needed.

How many unique IP addresses are connected to the proxy server?

How many unique domains were accessed by all workstations?
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n | wc -l

What status code is generated by the HTTP requests to the least accessed domain?
cut -d ' ' -f3,6 access.log | grep [REDACTED]

Based on the high count of connection attempts, what is the name of the suspicious domain?
cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq -c | sort -n | tail -n 10
This will give 10 domains with the highest connection attempts. 

What is the source IP of the workstation that accessed the malicious domain?
cut -d ' ' -f2,3 access.log | grep [REDACTED]

How many requests were made on the malicious domain in total?
cut -d ' ' -f2,3 access.log | grep [REDACTED] | wc -l

Having retrieved the exfiltrated data, what is the hidden flag?
grep [REDACTED] access.log | cut -d ' ' -f5 | cut -d '=' -f2 | base64 -d

---