Maher Adib
6 supporters
Login
Maher Adib
Posts
Threat Hunting: Web Proxy Logs

Threat Hunting: Web Proxy Logs

Dec 14, 2024

One of my favorite hot spots to start or begin with.

What should you look?

Start with easy part and gradually increase the speed as you go along.

Look for Suspicious IP Addresses

  • Check for unknown or blacklisted IPs: Review IP addresses for known malicious or suspicious sources (use threat intelligence feeds).

  • Check for IP address ranges: Look for large numbers of requests from a single IP or unusual geographic locations.

Review Request Patterns

  • Unusual request methods: Investigate uncommon HTTP methods (e.g., CONNECT, TRACE, OPTIONS) or patterns that do not fit the normal traffic behavior.

  • High frequency of requests: Identify clients with unusually high request rates, which might indicate scraping, DDoS attacks, or bot activity.

  • Repetitive or invalid requests: Check for patterns such as repeated failed attempts or requests with invalid parameters (e.g., empty URLs, malformed requests).

Response Codes & Error Handling

  • 4xx and 5xx errors: Look for patterns in 4xx (client errors) or 5xx (server errors) codes. Multiple 4xx errors could indicate a brute force or enumeration attack, while frequent 5xx errors may point to server misconfiguration or attacks like DoS.

  • Unusual success codes (2xx): Identify anomalous HTTP success codes or excessive successful requests to uncommon URLs or services.

Analyze Requested URLs

  • Suspicious URL patterns: Look for URLs with encoded characters (%20, %3C, etc.), script injections (.php, .cgi), or URLs leading to uncommon file extensions (e.g., .exe, .bat, .sh).

  • Access to restricted or sensitive files: Check for attempts to access sensitive resources like /etc/, /admin/, or other configuration files.

  • Cross-site scripting (XSS) and SQL injection attempts: Look for special characters (<, >, --, ;) in query strings or URLs that might indicate attempts at exploitation.

Check for Proxy Abuse

  • Excessive use of CONNECT method: The CONNECT method can be used to tunnel encrypted traffic (e.g., via HTTPS). Look for high-frequency CONNECT requests to external IPs or URLs that do not fit typical usage.

  • Requesting IP addresses directly: Squid may log requests made directly to IP addresses instead of domain names, which can be a sign of proxy abuse or evasion.

Review User-Agent and Referrer Data

  • Suspicious User-Agent strings: Look for user agents that resemble automated tools or bots (e.g., curl, wget, or "Mozilla/5.0" with unusual strings).

  • Abnormal referrer data: A high number of requests with empty or suspicious referrers can indicate automated scraping or redirection attempts.

Check for Abnormal Traffic Volume

  • High traffic from specific clients: Track individual client IPs or session IDs that are generating an abnormally high volume of requests in a short period.

  • Traffic to uncommon domains: Unusually high traffic to new or unknown domains might indicate exfiltration attempts, botnets, or reconnaissance.

Enjoy this post?

Buy Maher Adib a coffee

More from Maher Adib

    Item 1 of 1
    PrivacyTermsReport
    Start your Buy Me a Coffee page