1121087444.308 593 66.29.187.48 TCP_MISS/200 13787 GET http://search.msn.com/results.aspx? DIRECT/205.161.4.166 text/html
1121087444.422 13 66.29.187.48 TCP_MEM_HIT/200 38739 GET http://search.msn.com/sa/1_1_0000_26239/common.css NONE/- text/css
1121087444.472 9 66.29.187.48 TCP_MEM_HIT/200 28200 GET http://search.msn.com/sa/1_1_0000_26239/common.js NONE/- application/x-javascript
1121087444.663 8 66.29.187.48 TCP_MEM_HIT/200 1734 GET http://search.msn.com/s/hgrad.gif NONE/- image/gif
1121087444.669 1 66.29.187.48 TCP_MEM_HIT/200 2003 GET http://search.msn.com/s/logomsn.gif NONE/- image/gif
1121087444.774 12 66.29.187.48 TCP_MEM_HIT/200 423 GET http://search.msn.com/s/sbtnbk.gif NONE/- image/gif
1121087444.898 2 66.29.187.48 TCP_MEM_HIT/200 494 GET http://search.msn.com/s/more.gif NONE/- image/gif
1121087444.952 1 66.29.187.48 TCP_MEM_HIT/200 675 GET http://search.msn.com/s/mgou.gif NONE/- image/gif
1121087444.967 2 66.29.187.48 TCP_MEM_HIT/200 423 GET http://search.msn.com/s/snbtnbk.gif NONE/- image/gif
1121087445.232 4 66.29.187.48 TCP_MEM_HIT/200 319 GET http://search.msn.com/s/bullet.gif NONE/- image/gif
1121087469.903 124 66.29.187.48 TCP_MISS/200 3099 GET http://www.google.com/ DIRECT/64.233.161.104 text/html
Proxy Logs – HTTP - Download
1122923698.265 127692 66.29.187.48 TCP_MISS/200 369576 GET http://files.dvdr-digest.com/encode/dvdshrink23.zip DIRECT/67.15.68.51 application/zip
**************************************************************************
Example #1 – Downloading of Tools
By examining the Proxy Logs for HTTP, an investigator can determine what types of files are being downloaded and from where. This allows for a good picture of potential malware, and intrusion tools that the attacker may have utilized to commit his crime.
Proxy Logs – HTTP - Upload
1121191891.809 356 66.29.187.48 TCP_MISS/200 627 POST http://www.myhackersite.com/smfh/login.jsp DIRECT/12.10.217.31 text/html
1121191958.064 750 66.29.187.48 TCP_MISS/200 1160 POST http://www.myhackersite.com/smfh/passwordupload.aspx DIRECT/12.10.217.31 text/html
**************************************************************************
Example #2 – Uploading of Unauthorized Data
By examining the Proxy Logs for HTTP, an investigator can determine where stolen data could have been uploaded outside of the corporation. By examingint he above logs, you can see the user “” logged into site www.myhackersite.com and uploaded data to the script “passwordupload.aspx”.
Proxy Logs – HTTP – Malware Detection
1127162071.927 350 66.29.186.12 TCP_MISS/200 2360 CONNECT command.hacker.com:443 DIRECT/66.135.194.30 -
1127162099.925 386 66.29.151.9 TCP_MISS/200 5322 CONNECT command.hacker.com:443 DIRECT/66.135.213.40 -
1127162107.480 502 66.29.173.187 TCP_MISS/200 7343 CONNECT command.hacker.com:443 DIRECT/66.135.213.48 -
1127162579.189 2444 66.29.142.29 TCP_MISS/200 1999 CONNECT command.hacker.com:443 DIRECT/66.135.194.24 -
1127162579.194 1613 66.29.59.24 TCP_MISS/200 2012 CONNECT command.hacker.com:443 DIRECT/66.135.194.24 -
1127162579.197 2012 66.29.50.149 TCP_MISS/200 1997 CONNECT command.hacker.com:443 DIRECT/66.135.194.24 -
1127162579.199 1616 66.29.128.48 TCP_MISS/200 1998 CONNECT command.hacker.com:443 DIRECT/66.135.194.24 -
*************************************************************************************
Example #3 – Malware Detection
Most malware developed today are “smart”. They will contact a predetermined location for software updates, instructions, and to drop off compromised data. By examining the Proxy HTTP logs, an investigator can determine the spread of the infection. This method will work with Transparent proxies also.