Squid

Prompt

Analyze this Squid proxy log to answer the following questions.

squid_access.log15.9KB

Tutorial Video

Walk-Through

Video tutorial: Cyber Skyline NCL Summer Live - Log Analysis 2 - July 15 2021Cyber Skyline NCL Summer Live - Log Analysis 2 - July 15 2021

This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.

Use head to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.

image

Converting a timestamp from Epoch to Unix:

Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date command to convert it within linux:

image

Using awk to extract column data:

To answer questions about the speed of the request, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shown in milliseconds. To extract this field, use awk '{print $2}' and sort -n to sort numerically.

image

To answer how many different ip addresses that the proxy serviced in this log, use awk to output the ip addresses found in field 3. awk '{print $3}' | sort | uniq | wc -l.

image

For other examples of using awk, refer to Log Analysis challenge Nginx.

The GET and POST requests are found in the 6th column. Usecat squid_access.log | awk '{print $6}' | sort | uniq –c to see the number of GET and POST requests made.

image

To find information about the antivirus used on 192.168.0.224, use grep to find that ip address in the log file: cat squid_access.log | grep "192.168.0.224"

The output of this command has been partially redacted to show the ip addresses filtered using grep
The output of this command has been partially redacted to show the ip addresses filtered using grep

Helpful Tools:

Epoch Converter

Understanding how to use awk to print specific columns

How squid logs are formatted

Questions

1. In what year was this log saved?

Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.

2. How many milliseconds did the fastest request take?

cat squid_access.log | awk '{print $2}' | sort -n
Extract the second field (the response time) and then sort the results numerically

3. How many milliseconds did the longest request take?

Same as the question above

4. How many different IP addresses did the proxy service in this log?

cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l
Extract the third field (the IP address of the proxy client), sort, get the unique values, and then get the line count

5. How many GET requests were made?

cat squid_access.log | awk '{print $6}' | sort | uniq –c
Extract the 6th field (the HTTP Request type), sort, and then get the unique values with a count of their occurrences

6. How many POST requests were made?

Same as the question above

7. What company created the antivirus used on the host at 192.168.0.224?

The name of the company is found within the URLs of the requests made 192.168.0.224 

cat squid_access.log | grep "192.168.0.224"
Search for any lines that contain the IP address from the question.

8. What URL is used to download an antivirus update?

Use the command from the question above and then find the URL that includes “virus” and “definitions”

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.