Prompt
Analyze this Squid proxy log to answer the following questions.
Tutorial Video
Walk-Through
Video tutorial: Cyber Skyline NCL Summer Live - Log Analysis 2 - July 15 2021
This challenge involves analyzing a Squid proxy log. Basic scripting knowledge is necessary to complete the challenge in a reasonable amount of time.
Use head
to see the first few lines of the log. The first field, commonly the time, is in an odd format of numbers and decimals. This is epoch time. Epoch time is the time in seconds from January 1 1970 at midnight.
Converting a timestamp from Epoch to Unix:
Online tools can be used to convert the timestamp to a human readable Unix format (see tools below) . or you can use the date
command to convert it within linux:
Using awk
to extract column data:
To answer questions about the speed of the request, looking up the format of a squid log (https://wiki.squid-cache.org/Features/LogFormat) shows that the field after the timestamp represents the time spent by the proxy in processing the client request, shown in milliseconds. To extract this field, use awk '{print $2}'
and sort -n
to sort numerically.
To answer how many different ip addresses that the proxy serviced in this log, use awk to output the ip addresses found in field 3. awk '{print $3}' | sort | uniq | wc -l
.
For other examples of using awk
, refer to Log Analysis challenge Nginx.
The GET and POST requests are found in the 6th column. Usecat squid_access.log | awk '{print $6}' | sort | uniq –c
to see the number of GET and POST requests made.
To find information about the antivirus used on 192.168.0.224, use grep
to find that ip address in the log file: cat squid_access.log | grep "192.168.0.224"
Helpful Tools:
Questions
1. In what year was this log saved?
Take any of the Epoch timestamps and convert them into a human-readable date. An online tool, such as Epoch Converter, can be used to do this.
2. How many milliseconds did the fastest request take?
cat squid_access.log | awk '{print $2}' | sort -n
3. How many milliseconds did the longest request take?
Same as the question above
4. How many different IP addresses did the proxy service in this log?
cat squid_access.log | awk '{print $3}' | sort | uniq | wc -l
5. How many GET requests were made?
cat squid_access.log | awk '{print $6}' | sort | uniq –c
6. How many POST requests were made?
Same as the question above
7. What company created the antivirus used on the host at 192.168.0.224?
The name of the company is found within the URLs of the requests made 192.168.0.224
cat squid_access.log | grep "192.168.0.224"
8. What URL is used to download an antivirus update?
Use the command from the question above and then find the URL that includes “virus” and “definitions”
©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.