Proxy Logs - HTTP

1121087443.547    169 66.29.187.48 TCP_MISS/302 680 GET http://auto.search.msn.com/response.asp?  DIRECT/205.161.4.166 text/html
1121087444.308    593 66.29.187.48 TCP_MISS/200 13787 GET http://search.msn.com/results.aspx?  DIRECT/205.161.4.166 text/html
1121087444.422     13 66.29.187.48 TCP_MEM_HIT/200 38739 GET http://search.msn.com/sa/1_1_0000_26239/common.css  NONE/- text/css
1121087444.472      9 66.29.187.48 TCP_MEM_HIT/200 28200 GET http://search.msn.com/sa/1_1_0000_26239/common.js  NONE/- application/x-javascript
1121087444.663      8 66.29.187.48 TCP_MEM_HIT/200 1734 GET http://search.msn.com/s/hgrad.gif  NONE/- image/gif
1121087444.669      1 66.29.187.48 TCP_MEM_HIT/200 2003 GET http://search.msn.com/s/logomsn.gif  NONE/- image/gif
1121087444.774     12 66.29.187.48 TCP_MEM_HIT/200 423 GET http://search.msn.com/s/sbtnbk.gif  NONE/- image/gif
1121087444.898      2 66.29.187.48 TCP_MEM_HIT/200 494 GET http://search.msn.com/s/more.gif  NONE/- image/gif
1121087444.952      1 66.29.187.48 TCP_MEM_HIT/200 675 GET http://search.msn.com/s/mgou.gif  NONE/- image/gif
1121087444.967      2 66.29.187.48 TCP_MEM_HIT/200 423 GET http://search.msn.com/s/snbtnbk.gif  NONE/- image/gif
1121087445.232      4 66.29.187.48 TCP_MEM_HIT/200 319 GET http://search.msn.com/s/bullet.gif  NONE/- image/gif
1121087469.903    124 66.29.187.48 TCP_MISS/200 3099 GET http://www.google.com/  DIRECT/64.233.161.104 text/html


Proxy Logs – HTTP - Download

1122923698.265 127692 66.29.187.48 TCP_MISS/200 369576 GET http://files.dvdr-digest.com/encode/dvdshrink23.zip  DIRECT/67.15.68.51 application/zip
**************************************************************************

Example #1 – Downloading of Tools

By examining the Proxy Logs for HTTP, an investigator can determine what types of files are being downloaded and from where.  This allows for a good picture of potential malware, and intrusion tools that the attacker may have utilized to commit his crime.

Proxy Logs – HTTP - Upload

1121191891.809    356 66.29.187.48 TCP_MISS/200 627 POST http://www.myhackersite.com/smfh/login.jsp  DIRECT/12.10.217.31 text/html
1121191958.064    750 66.29.187.48 TCP_MISS/200 1160 POST http://www.myhackersite.com/smfh/passwordupload.aspx  DIRECT/12.10.217.31 text/html

**************************************************************************

Example #2 – Uploading of Unauthorized Data

By examining the Proxy Logs for HTTP, an investigator can determine where stolen data could have been uploaded outside of the corporation.  By examingint he above logs, you can see the user “” logged into site www.myhackersite.com and uploaded data to the script “passwordupload.aspx”.  

Proxy Logs – HTTP – Malware Detection

1127162071.927    350 66.29.186.12 TCP_MISS/200 2360 CONNECT command.hacker.com:443  DIRECT/66.135.194.30 -
1127162099.925    386 66.29.151.9 TCP_MISS/200 5322 CONNECT command.hacker.com:443  DIRECT/66.135.213.40 -
1127162107.480    502 66.29.173.187 TCP_MISS/200 7343 CONNECT command.hacker.com:443  DIRECT/66.135.213.48 -
1127162579.189   2444 66.29.142.29 TCP_MISS/200 1999 CONNECT command.hacker.com:443  DIRECT/66.135.194.24 -
1127162579.194   1613 66.29.59.24 TCP_MISS/200 2012 CONNECT command.hacker.com:443  DIRECT/66.135.194.24 -
1127162579.197   2012 66.29.50.149 TCP_MISS/200 1997 CONNECT command.hacker.com:443  DIRECT/66.135.194.24 -
1127162579.199   1616 66.29.128.48 TCP_MISS/200 1998 CONNECT command.hacker.com:443  DIRECT/66.135.194.24 -
*************************************************************************************

Example #3 – Malware Detection

Most malware developed today are “smart”.  They will contact a predetermined location for software updates, instructions, and to drop off compromised data.  By examining the Proxy HTTP logs, an investigator can determine the spread of the infection.  This method will work with Transparent proxies also.