Prompt
Analyze this Squid proxy log to answer the following questions.
Tutorial Video
Walk-Through
This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.
Use head
to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.
Converting a timestamp from Epoch to Unix:
Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date
command to convert it within linux:
Using awk
to extract column data:
To answer the second and third questions, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shows in milliseconds. To extract this field, we can use awk '{print $2}'
and sort -n
to sort numerically.
The last question can be answered by extracting the IP address field, sorting and counting the number of unique values with awk '{print $3}' | sort | uniq | wc -l
.
For other examples of using awk
, refer to Log Analysis challenge Nginx.
Helpful Tools:
Questions
1. In what year was this log saved?
Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.
2. How many milliseconds did the fastest request take?
cat squid_access.log | awk '{print $2}' | sort -n
3. How many milliseconds did the longest request take?
Same as the question above
4. How many different IP addresses did the proxy service in this log?
cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l
5. How many GET requests were made?
cat squid_access.log | awk '{print $6}' | sort | uniq –c
6. How many POST requests were made?
Same as the question above
7. What company created the antivirus used on the host at 192.168.0.224?
The name of the company is found within the URLs of the requests made 192.168.0.224
cat squid_access.log | grep "192.168.0.224"
8. What URL is used to download an antivirus update?
Use the command from the question above and then find the URL that includes “virus” and “definitions”
©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.