On Wed, Jun 22, 2011 at 6:54 PM, Jim Halfpenny <[email protected]> wrote: > On 22 June 2011 17:17, Michael Lubinski <[email protected]> wrote: >> What methods were you using to analyze the proxy logs for out of the norm >> behavior? > > grep?
Pretty much. I had a script that took logs from our corporate proxy, and extracted the URL, HTTP return code, and MIME type. From there it took the MIME type and looked to see if it was some kind of executable code, Java, or PDF, and if so, downloaded it. There were also some behavioral tests it did. From there I had to manually classify it. There was a good amount of false positives but my idea was to develop a whitelist of hosts to ignore and after a while, I think it would have given alerts on "abnormal" hosts. I no longer have the script (Wrote it at $OLD_JOB's) however, if someone gives me access to a Squid log, I can replicate it pretty easily. -- Ben Jackson - Mayhemic Labs [email protected] - http://www.mayhemiclabs.com - +1-508-296-0267 "Assume that what is in the power of one man to do, is in the power of another" _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
