<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Squey - Lighting the unknown on Squey</title>
    <link>https://squey.org/</link>
    <description>Recent content in Squey - Lighting the unknown on Squey</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en</language>
    <copyright>Copyright © 2023-{year} All Rights Reserved.</copyright>
    <lastBuildDate>Tue, 25 Jun 2024 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://squey.org/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Visualize AWS VPC Flow Logs in Squey using Apache Parquet format</title>
      <link>https://squey.org/domains/cybersecurity/visualize-aws-vpc-flow-logs-in-squey-using-apache-parquet-format/</link>
      <pubDate>Tue, 25 Jun 2024 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/visualize-aws-vpc-flow-logs-in-squey-using-apache-parquet-format/</guid>
        <description><![CDATA[<p>Since version 5.0, Squey is able to import and export Apache Parquet files!</p>
<p><span style="font-size:3em;">«</span><br/>
<em>Apache Parquet is an open-source file format that stores data efficiently in columnar format, provides different encoding types, and supports predicate filtering. With good compression ratios and efficient encoding, VPC flow logs stored in Parquet <u>reduce your Amazon S3 storage costs</u>.</em><br/>
<span style="font-size:3em;">»</span> ― <a
  href="https://aws.amazon.com/blogs/big-data/optimize-performance-and-reduce-costs-for-network-analytics-with-vpc-flow-logs-in-apache-parquet-format/"
  
  target="_blank" rel="noopener noreferrer">AWS Blog</a></p>
<p>Let&rsquo;s take advantage of the fact that AWS VPC Flow Logs can be <a
  href="https://aws.amazon.com/blogs/big-data/optimize-performance-and-reduce-costs-for-network-analytics-with-vpc-flow-logs-in-apache-parquet-format/"
  
  target="_blank" rel="noopener noreferrer">natively stored</a> in Apache Parquet format to seamlessly visualize our network and understand traffic patterns, identify security issues, audit usage, and diagnose network connectivity.</p>
<p>In <code>AWS VPC console</code> select a VPC, click <code>Create flow log</code> and set the following parameters:</p>
<ol>
<li>Send to an Amazon S3 bucket</li>
<li>Custom format : standard attributes</li>
<li>Log file format : Parquet</li>
</ol>



<figure>
<img src="/domains/cybersecurity/visualize-aws-vpc-flow-logs-in-squey-using-apache-parquet-format/images/vpc_flow_logs_config.png" style="width: 1080.6666666666667px;">
</figure>
<p>Then you can open in Squey as many Parquet files as you want in one go, as show in the quick video below:</p>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
      <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/ulXzbdz4j_o?cc_load_policy=1?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
    </div>

<br/>
May your findings be insightful! :)
]]></description>
    </item>
    <item>
      <title>Detect an SSH login after social engineering</title>
      <link>https://squey.org/domains/cybersecurity/detect-an-ssh-login-after-social-engineering/</link>
      <pubDate>Tue, 21 Nov 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/detect-an-ssh-login-after-social-engineering/</guid>
        <description><![CDATA[<p>In this article, we are addressing the <a
  href="https://www.linkedin.com/posts/tricaud_detect-ssh-login-after-social-engineering-activity-7110551857810268160-eNf8"
  
  target="_blank" rel="noopener noreferrer">challenge</a> presented by <a
  href="https://detecteam.com/blog/detect-an-ssh-login-after-social-engineering/"
  
  target="_blank" rel="noopener noreferrer">detecteam.com</a>.</p>
<p>“<em>We have published one year of ssh logins/logouts of a valid administrator; However the account has been compromised using social engineering similar to the MGM attack which led to a ransomware being deployed.</em>” ― Detecteam</p>
<p>So here is the <a
  href="https://detecteam.com/wp-content/uploads/2023/09/openssh.log_.zip"
  
  target="_blank" rel="noopener noreferrer">openssh.log_.zip</a> (<a
  href="openssh.log_.zip"
  
  >mirror</a>) dataset and its associated <a
  href="openssh.log_.zip.format"
  
  >openssh.log_.zip.format</a> parsing file.</p>
<p>It&rsquo;s looking like typical OpenSSH logs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Sep 24 08:46:18 bidizidomo sshd[26168]: Accepted password for iworkinacasino from 173.194.42.31 port 63346 ssh2
</span></span><span class="line"><span class="cl">Sep 24 08:46:18 bidizidomo sshd[26168]: pam_unix(sshd:session): session opened for user iworkinacasino(uid=1169) by (uid=0)
</span></span><span class="line"><span class="cl">Sep 24 08:46:18 bidizidomo systemd-logind[515]: New session 8767 of user iworkinacasino.
</span></span><span class="line"><span class="cl">Sep 24 08:46:18 bidizidomo sshd[26168]: pam_env(sshd:session): deprecated reading of user environment enabled
</span></span><span class="line"><span class="cl">Sep 24 12:51:42 bidizidomo sshd[26971]: Received disconnect from 173.194.42.31 port 23568 disconnected by user
</span></span><span class="line"><span class="cl">Sep 24 12:51:42 bidizidomo sshd[26971]: Disconnected from user iworkinacasino 173.194.42.31 port 23568
</span></span><span class="line"><span class="cl">Sep 24 12:51:42 bidizidomo sshd[26971]: pam_unix(sshd:session): session closed for user iworkinacasino
</span></span><span class="line"><span class="cl">Sep 24 14:32:41 bidizidomo sshd[44186]: Accepted password for iworkinacasino from 173.194.42.109 port 26603 ssh2
</span></span><span class="line"><span class="cl">Sep 24 14:32:41 bidizidomo sshd[44186]: pam_unix(sshd:session): session opened for user iworkinacasino(uid=1169) by (uid=0)
</span></span><span class="line"><span class="cl">...
</span></span></code></pre></div><p>During the data ingest step, the dataset was enriched in several ways:</p>
<ol>
<li>Two columns were added by splitting the <code>datetime</code> column in two, to separate the <code>date</code> and the <code>time</code>.</li>
<li>The column <code>country</code> was computed thanks to the Python API by using the IPs for the lookup.</li>
<li>Columns not containing any relevant information were let aside (namely <code>user</code> and <code>service</code>) and rows that were not containing an IP address.</li>
</ol>
<p>Here is the resulting dataset (containing 2230 rows and 7 columns) loaded in Squey:</p>



<figure>
<img src="/domains/cybersecurity/detect-an-ssh-login-after-social-engineering/images/ssh_dataset.png" style="width: 1056.6666666666667px;">
</figure>
<p>Having a <code>time</code> axis whose values are wrapped around 24h (00:00:00 at the bottom of the axis to 23:59:59 at the top) is very handy to observe the repartition of the connections during the day.</p>
<p>So except for the 7 wrong passwords that were supplied during the connections and the 7 during the reconnections, the connection pattern is disturbingly consistent, as every single day of the year unfolds as follows:</p>
<ol>
<li>start of the day : first connection from the US between 07:00 and 09:00</li>
<li>lunch : deconnection and reconnection from the US between 10:56 and 14:58</li>
<li>end of the day : deconnection between 16:12 and 19:01</li>
</ol>
<p>But beyond this extreme conscistency, a particular network traffic visually stands out completely as the time and location of theses connections are totally contrasting:</p>



<figure>
<img src="/domains/cybersecurity/detect-an-ssh-login-after-social-engineering/images/suspicious_logins_parallel_coordinates.png" style="width: 1056.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/detect-an-ssh-login-after-social-engineering/images/suspicious_logins_listing.png" style="width: 1162.6666666666667px;">
</figure>
<p>Indeed, four SSH connections were issued with success <strong>from <a
  href="https://db-ip.com/101.194.69.72"
  
  target="_blank" rel="noopener noreferrer">China</a> on May 23rd between 01:08:12 and 04:32:20</strong> :</p>
<ol>
<li>at 01:18:12 (lasted 1m44s)</li>
<li>at 01:24:20 (lasted 52m12s)</li>
<li>at 02:33:28 (lasted 43m42s)</li>
<li>at 03:34:28 (lasted 57m52s)</li>
</ol>
<br/>
<p>Although this dataset is extremely simple, it perfectly illustrates the importance of visually presenting data in an optimal fashion to highlight suspicious behaviors.</p>
<h2 id="creating-the-parsing-file">Creating the parsing file</h2>
<p>For those interested in the way the parsing format file was created, here a quick step-by-step video tutorial.</p>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
      <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/VaNLwIHxBnY?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
    </div>

</br>
<p>Here are also the commands to install the required Python modules.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flatpak run --command<span class="o">=</span>/app/bin/squey_sh org.squey.Squey
</span></span><span class="line"><span class="cl">pip3 install python-geoip-python3 python-geoip-geolite2
</span></span></code></pre></div><p>As they are used by the following embedded Python script.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="kn">from</span> <span class="nn">geoip</span> <span class="kn">import</span> <span class="n">geolite2</span>
</span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="kn">import</span> <span class="nn">numpy</span> <span class="k">as</span> <span class="nn">np</span>
</span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="k">def</span> <span class="nf">country</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span>
</span></span><span class="line"><span class="ln"> 4</span><span class="cl">    <span class="k">return</span> <span class="n">geolite2</span><span class="o">.</span><span class="n">lookup</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span><span class="o">.</span><span class="n">country</span>
</span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="n">source</span> <span class="o">=</span> <span class="n">squey</span><span class="o">.</span><span class="n">source</span><span class="p">(</span><span class="s2">&#34;openssh.log_.zip&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="n">ips_column</span> <span class="o">=</span> <span class="n">source</span><span class="o">.</span><span class="n">column</span><span class="p">(</span><span class="s2">&#34;IP&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="n">unique_ips</span> <span class="o">=</span> <span class="n">np</span><span class="o">.</span><span class="n">unique</span><span class="p">(</span><span class="n">ips_column</span><span class="p">)</span><span class="o">.</span><span class="n">tolist</span><span class="p">()</span>
</span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="n">unique_countries</span> <span class="o">=</span> <span class="n">np</span><span class="o">.</span><span class="n">array</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="nb">map</span><span class="p">(</span><span class="n">country</span><span class="p">,</span> <span class="n">unique_ips</span><span class="p">)))</span>
</span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="n">countries</span> <span class="o">=</span> <span class="n">np</span><span class="o">.</span><span class="n">array</span><span class="p">([</span><span class="n">unique_countries</span><span class="p">[</span><span class="n">unique_ips</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">ip</span><span class="p">)]</span> <span class="k">for</span> <span class="n">ip</span> <span class="ow">in</span> <span class="n">ips_column</span><span class="p">])</span>
</span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="n">source</span><span class="o">.</span><span class="n">insert_column</span><span class="p">(</span><span class="n">countries</span><span class="p">,</span> <span class="s2">&#34;country&#34;</span><span class="p">)</span>
</span></span></code></pre></div>]]></description>
    </item>
    <item>
      <title>Phishing attack detection in proxy logs</title>
      <link>https://squey.org/domains/cybersecurity/phishing-attack-detection-in-proxy-logs/</link>
      <pubDate>Fri, 22 Sep 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/phishing-attack-detection-in-proxy-logs/</guid>
        <description><![CDATA[<p>Here is a video of the detection of a successful phishing attack contained in a 10 million rows anonymized proxy logs.</p>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
      <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/EGdJM9DsLtw?cc_load_policy=1?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
    </div>

]]></description>
    </item>
    <item>
      <title>Filter PCAPs using complex criteria</title>
      <link>https://squey.org/domains/cybersecurity/filter-pcaps-using-complex-criteria/</link>
      <pubDate>Mon, 14 Aug 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/filter-pcaps-using-complex-criteria/</guid>
        <description><![CDATA[<p>You&rsquo;re not sure what data your packet capture is really containing and it is too big to be opened with Wireshark or other tools? Visualize it using Squey, isolate packets or sessions worth of interest with arbitrary complexe criteria and then export it to smaller PCAP file(s).</p>
<p>As an example, we will load the complete <a
  href="https://www.netresec.com/?page=MACCDC"
  
  target="_blank" rel="noopener noreferrer">MACCDC 2012 PCAP dataset</a> composed of 17 files (~17GB) and export <em>HTTP communications between IPs 192.168.203.63 and 192.168.229.101 on port 80.</em></p>
<h2 id="loading-packet-captures">Loading packet captures</h2>
<p>Click on the <code>Pcap...</code> button under the <code>SOURCES</code> section of the start page and click on the <code>Manage profiles</code> button.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/load_pcaps_button.png" style="width: 970.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/manage_profiles_button.png" style="width: 798px;">
</figure>
<p>First, let choose the packet fields we would like to use to make our filtering. Almost all fields supported by Wireshark are available, but keep in mind that the more fields you choose, the slower the packet captures will be loading and the bigger the space in RAM will also be.</p>
<p>Click on <code>New profile</code>, enter the profile name of your choice and click <code>Ok</code>.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/new_profile.png" style="width: 214.66666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/new_profile_dialog.png" style="width: 196.66666666666666px;">
</figure>
<p>Then click <code>Select</code> and browse one of the PCAP of the dataset.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/select_pcap.png" style="width: 490px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/extracting_protocols.png" style="width: 490px;">
</figure>
<p>For this exemple we chose the following fields:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">frame.time, eth.dst, eth.src, ip.dst, ip.src, tcp.srcport, tcp.dstport
</span></span></code></pre></div>

    


<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/manage_profiles_dialog.png" style="width: 1357px;">
</figure>
<p>And we also checked the <code>Protocol</code> field in the <code>Options</code> tab.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/profile_options.png" style="width: 816px;">
</figure>
<p>Save your profile and load the packets capture using the newly created profile.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/load_pcaps.png" style="width: 486.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/extract.png" style="width: 472px;">
</figure>
<p>The packet captures should now be displayed using <a
  href="https://doc.squey.org/content/global_pc_view/content.html"
  
  target="_blank" rel="noopener noreferrer">parallel coordinates</a> with the fields you selected as columns.</p>


    


<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/dataset_loaded.png" style="width: 1456px;">
</figure>
<h2 id="isolating-packets">Isolating packets</h2>
<p>In order to isolate this communication, we will successively apply 4 stages of filtering:</p>
<ol>
<li>Filtering packets using HTTP protocol</li>
<li>Filtering packets <strong>to</strong> IPs 192.168.229.101 and 192.168.203.63</li>
<li>Filtering packets <strong>from</strong> IPs 192.168.229.101 and 192.168.203.63</li>
<li>Filtering packets on destination port 80</li>
</ol>
<ol>
<li>Right-click on the <code>_ws.col.Protocol</code> column header, select <code>Distinct values</code>, click on <code>HTTP</code> and close the dialog.</li>
</ol>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/protocols_distinct_values_menu.png" style="width: 296px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/protocols_distinct_values.png" style="width: 506px;">
</figure>
<ol start="2">
<li>Right-click on any value of the <code>ip.dst</code> column, select <code>Search for...</code> paste the two IPs addresses located below and click <code>Apply</code>.</li>
</ol>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/search_for_menu.png" style="width: 302.6666666666667px;">
</figure>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">192.168.229.101
</span></span><span class="line"><span class="cl">192.168.203.63
</span></span></code></pre></div>


<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/search_for_dialog.png" style="width: 526.6666666666666px;">
</figure>
<ol start="3">
<li>
<p>Repeat the same filtering operation on the <code>ip.src</code> column.</p>
</li>
<li>
<p>Right-click on the <code>tcp.dstport</code> column header, select <code>Distinct values</code>, click on <code>80</code> and close the dialog.</p>
</li>
</ol>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/dstport_distinct_values_menu.png" style="width: 310px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/dstport_distinct_values.png" style="width: 506.6666666666667px;">
</figure>
<h2 id="exporting-isolated-packets">Exporting isolated packets</h2>
<p>Now that the communication is properly isolated, time to export it back as a PCAP file.</p>


    


<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/isolated_communication.png" style="width: 1455px;">
</figure>
<p>Click <code>File</code> &gt; <code>Export</code> &gt; <code>Selection...</code> and save the PCAP wherever you want.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/export_selection_menu.png" style="width: 316.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/export_isolated_communication.png" style="width: 600px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/selection_export.png" style="width: 198px;">
</figure>
<p>The application has just filtered the packets contained in the original PCAP files. <br>
The default option <code>Export complete TCP steams</code> will also export the entire session a packet belongs to.</p>
<p>You can now open the exported PCAP with Wireshark or your favorite tools.</p>


    


<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/dataset_export_loaded_into_wireshark.png" style="width: 1001px;">
</figure>
<h2 id="saving-the-investigation-for-faster-reloads">Saving the investigation for faster reloads</h2>
<p>If you want to avoid the loading time of the packet captures, saving it as an investigation will let you reload it very quickly (in less than 6 seconds on an <a
  href="https://ark.intel.com/content/www/us/en/ark/products/132228/intel-core-i712700h-processor-24m-cache-up-to-4-70-ghz.html"
  
  target="_blank" rel="noopener noreferrer">Intel® Core™ i7-12700H Processor</a> using ~3.6GB of data on disk).</p>
<p>Click <code>File</code> &gt; <code>Investigation</code> &gt; <code>Save investigation</code> (or Ctrl+S) and select the folder you want to save your investigation to. <br>
Note that the actual data of the investigation will still be located in the application temporary directory.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/save_investigation_menu.png" style="width: 434px;">
</figure>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/saved_investigation.png" style="width: 662.6666666666666px;">
</figure>
<p>The investigation will then appear under the <code>INVESTIGATIONS</code> section of the start page as a clickable link.</p>
<h2 id="deleting-the-investigation-to-free-up-disk-space">Deleting the investigation to free up disk space</h2>
<p>Tick the investigation checkbox, click <code>Delete</code> and chose <code>Delete investigation</code>.</p>



<figure>
<img src="/domains/cybersecurity/filter-pcaps-using-complex-criteria/images/delete_investigation.png" style="width: 664.6666666666666px;">
</figure>
<p>Disk space will automatically be reclaimed during application next loading.</p>
]]></description>
    </item>
    <item>
      <title>PentesterAcademy MACCDC 2012 DNS Challenge</title>
      <link>https://squey.org/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/</link>
      <pubDate>Fri, 11 Aug 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/</guid>
        <description><![CDATA[<p>Following a really small and easy challenge published on <a
  href="https://blog.pentesteracademy.com/elk-log-analysis-dns-logs-875f669c87fd"
  
  target="_blank" rel="noopener noreferrer">PentesterAcademy</a> blog focused on the <a
  href="http://www.secrepo.com/maccdc2012/dns.log.gz"
  
  target="_blank" rel="noopener noreferrer">MACCDC 2012 DNS dataset</a> analysed with ELK, we thought it could be an great exercice to guide you solving it using Squey.</p>
<h2 id="loading-the-dataset">Loading the dataset</h2>
<p>Click on the <code>Local files...</code> button located on the <code>SOURCES</code> section of the start page and browse the compressed dataset.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/import_data_button.png" style="width: 150px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/browse_compressed_dataset.png" style="width: 492px;">
</figure>
<p>The file format and column types will be automatically detected, so just click <code>Yes</code> and <code>Save</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/autodetected_format.png" style="width: 496.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/no_header_found.png" style="width: 498.6666666666667px;">
</figure>
<p>Unfortunately the dataset isn&rsquo;t containing a header with column names but don&rsquo;t worry, we got them from <a
  href="https://www.secrepo.com/Datasets%20Description/Network/dns.html"
  
  target="_blank" rel="noopener noreferrer">the dataset description</a>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto port query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD Z answers TTLs rejected
</span></span></code></pre></div><p>Choose <code>Yes</code>, paste the column names provided above, click <code>Ok</code>, then click <code>Save</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/prompt_column_names.png" style="width: 226px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/save_format.png" style="width: 270.6666666666667px;">
</figure>
<p>We now have the dataset loaded with the proper column names.</p>


    


<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/dataset_loaded.png" style="width: 1461px;">
</figure>
<h2 id="q1-provide-the-name-of-the-most-queried-domain">Q1. Provide the name of the most queried domain.</h2>
<p>Right click on the <code>query</code> column header and select <code>Distinct values</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q1_distinct_values_menu.png" style="width: 312px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q1_distinct_values.png" style="width: 578.6666666666666px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> teredo.ipv6.microsoft.com (with 39,273 requests representing 9.2% of all requests)</p>
  </blockquote>
<h2 id="q2-what-was-the-ip-address-of-the-machine-which-issued-a-maximum-number-of-requests-having-empty-dns-queries">Q2. What was the IP address of the machine which issued a maximum number of requests having empty DNS queries?</h2>
<p><strong>Select all events</strong> by clicking <code>Selection</code> menu and selecting <code>select all events</code> (or just press the <code>a</code> key).</p>
<p><strong>Filter requests with empty DNS queries</strong> by right clicking on any value of the <code>query</code> column, select <code>Search for...</code>, paste the <code>(empty)</code> string and click <code>Apply</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q2_search_for.png" style="width: 324px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q2_filter_empty_values.png" style="width: 528px;">
</figure>
<p>The dataset instantly got filtered and only empty DNS queries are now displayed.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q2_empty_queries_selected.png" style="width: 917.3333333333334px;">
</figure>
<p><strong>Show IP repartition</strong> by right-clicking on the <code>id.orig_h</code> column header and selecting <code>Distinct values</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q2_distinct_values.png" style="width: 506px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 192.168.202.78 (with 860 empty DNS queries representing 31.2% of all empty DNS queries)</p>
  </blockquote>
<h2 id="q3-what-was-the-ip-address-of-the-machine-that-received-a-maximum-number-of-nxdomain-responses">Q3. What was the IP address of the machine that received a maximum number of NXDOMAIN responses?</h2>
<p><strong>Select all events</strong>.</p>
<p><strong>Filter NXDOMAIN requests</strong> by selecting <code>NXDOMAIN</code> in the <code>Distinct values</code> dialog of the column <code>rcode_name</code>.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q3_distinct_values_rcode_name.png" style="width: 506px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q3_nxdomain_selected.png" style="width: 916px;">
</figure>
<p><strong>Show IP repartition</strong> by displaying the <code>Distinct values</code> dialog of the <code>id.orig_h</code> column.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q3_distinct_values_ip.png" style="width: 506.6666666666667px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 192.168.202.103 (which received 7,471 NXDOMAIN responses, representing 14.8% of all NXDOMAIN responses)</p>
  </blockquote>
<h2 id="q4-for-one-of-the-hosts-receiving-nxdomain-errors-could-you-figure-out-some-anomalous-behavior-if-yes-then-describe-the-behavior">Q4. For one of the hosts receiving NXDOMAIN errors, could you figure out some anomalous behavior? If yes, then describe the behavior.</h2>
<p>As requests returning <code>NXDOMAIN</code> responses are still selected by previous question, we can directly <strong>show the repartition of target IPs and queries</strong> by displaying the <code>Distinct values</code> dialogs of both <code>id.resp_h</code> and <code>query</code> columns.</p>
<p>First, we can observe that the target IP <code>192.168.207.4</code> is generating 99.8% of all the <code>NXDOMAIN</code> responses (but it is also handling 62.3% of the total DNS requests).</p>
<p>Selecting the target IPs one after another will conveniently filter the distinct values of the query dialog so that you can easily see which domains are being considereded to be non-existant by the target IP.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip1.png" style="width: 1014px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip2.png" style="width: 1014px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip3.png" style="width: 1014px;">
</figure>
<p>We can also filter all these 9 target IPs returning NXDOMAIN from the global dataset and observe their respective repartition of NXDOMAIN responses.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip1_nxdomain_repartition.png" style="width: 1012.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip2_nxdomain_repartition.png" style="width: 1012.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q4_target_ip3_nxdomain_repartition.png" style="width: 1012.6666666666666px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> Some target IPs are wrongly returning NXDOMAIN for existing domains. Target IP <code>192.168.207.4</code> is returning NXDOMAIN for 18.9% of its responses.</p>
  </blockquote>
<h2 id="q5-what-was-the-ip-address-of-the-machine-that-sent-the-most-dns-requests">Q5. What was the IP address of the machine that sent the most DNS requests?</h2>
<p><strong>Select all events</strong>.</p>
<p><strong>Show IP repartition</strong> by displaying the <code>Distinct values</code> dialog of the <code>id.orig_h</code> column.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q5_distinct_values.png" style="width: 508px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 10.10.117.210 (which sent 75,943 DNS requests representing 17.7% of all DNS requests)</p>
  </blockquote>
<h2 id="q6-what-was-the-ip-address-of-the-machine-that-sent-the-most-reverse-dns-resolution-requests">Q6. What was the IP address of the machine that sent the most reverse DNS resolution requests?</h2>
<p><strong>Select all events</strong>.</p>
<p><strong>Filter reverse DNS resolution requests</strong> by entering the following regular expression in the search dialog of the column <code>query</code></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">.*in-addr.arpa$
</span></span></code></pre></div>


<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q6_filter_reverse_dns_requests.png" style="width: 526.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q6_filtered_reverse_dns_requests.png" style="width: 916.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q6_distinct_values.png" style="width: 508px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 192.168.202.83 (which sent 7,283 reverse DNS requests representing 13.8% of all reverse DNS requests)</p>
  </blockquote>
<h2 id="q7-how-many-dns-zone-transfer-queries-were-issued-on-the-network">Q7. How many DNS zone transfer queries were issued on the network?</h2>
<p><strong>Select all events</strong>.</p>
<p><strong>Show query type repartition</strong> by displaying the <code>Distinct values</code> dialog of the <code>id.orig_h</code> column.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q7_distinct_values.png" style="width: 508px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 440 (which represent ~0.1% all of DNS requests)</p>
  </blockquote>
<h2 id="q8-one-of-the-dns-requests-querying-for-a-sub-domain-of-applecom-returned-a-txt-record-which-contained-a-suspicious-looking-answer-identify-the-connection-id-of-that-request">Q8. One of the DNS requests querying for a sub-domain of apple.com returned a TXT record which contained a suspicious-looking answer. Identify the connection ID of that request.</h2>
<p><strong>Select all events</strong>.</p>
<p><strong>Filter DNS requests from apple.com subdomains</strong> by entering the following text in the search dialog of the column <code>query</code></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">.apple.com
</span></span></code></pre></div>


<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q8_filter_apple_subdomains.png" style="width: 528px;">
</figure>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q8_filtered_apple_subdomains.png" style="width: 916.6666666666666px;">
</figure>
<p><strong>Show DNS requests answers</strong> by displaying the <code>Distinct values</code> dialog of the <code>answer</code> column.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q8_distinct_values.png" style="width: 506px;">
</figure>
<p><strong>Isolate the suspicious-looking answer</strong> by clicking on it.</p>



<figure>
<img src="/domains/cybersecurity/pentesteracademy-maccdc-2012-dns-challenge/images/q8_uid.png" style="width: 916px;">
</figure>
<p>The column <code>uid</code> is displaying the connection ID of the request.</p>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> CmjiklOm3bnHgctw</p>
  </blockquote>
]]></description>
    </item>
    <item>
      <title>DFIR MONTEREY 2015 Network Forensics Challenge</title>
      <link>https://squey.org/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/</link>
      <pubDate>Mon, 07 Aug 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/</guid>
        <description><![CDATA[<p>This article aims at solving the PCAP related questions from the <a
  href="https://lewestech.com/2015/02/2015-network-challenge-results/"
  
  target="_blank" rel="noopener noreferrer">DFIR MONTEREY 2015 Network Forensics Challenge</a> using Squey. <br>
Of course the idea here is not to really solve the challenge as it has been solved <a
  href="https://www.google.com/search?q=ULQENP2"
  
  target="_blank" rel="noopener noreferrer">numerous times</a> since then, but to see how easier it is to solve it using Squey.</p>
<p>The dataset <a
  href="https://for572.com/2014-11nfchallengeevidence"
  
  target="_blank" rel="noopener noreferrer">2014-11+DFIR+Network+Forensics+Challenge.zip</a> was taken from the <a
  href="https://www.netresec.com/?page=PcapFiles"
  
  target="_blank" rel="noopener noreferrer">Netresec PCAP page</a>.</p>
<p>Note: questions 1 and 4 were not solved because they didn&rsquo;t involve any PCAP data.</p>
<h2 id="2-what-ip-addresses-were-used-by-the-system-claiming-the-mac-address-001ff35a779b">2. What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?</h2>
<p>Click on the <code>PCAP</code> button of the start page, select the provided <code>HTTP</code> profile, browse the <code>nitroba.pcap</code> file and then click <code>Process</code>.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/load_pcaps_button.png" style="width: 970.6666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/loading_nitroba_pcap_with_http_profil.png" style="width: 594.6666666666666px;">
</figure>
<p>You should now see the selected fields of the PCAP represented as <a
  href="https://doc.squey.org/content/global_pc_view/content.html"
  
  target="_blank" rel="noopener noreferrer">Parallel Coordinates</a>:</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/nitroba_pcap.png" style="width: 1462px;">
</figure>
<p>On the listing view located on the bottom of the window, right-click on any value of the <code>eth.src</code> column, select <code>Search for...</code>, paste the MAC address <code>00:1f:f3:5a:77:9b</code> in the <code>Expressions</code> text field, select <code>Case sensitivity: Does not match case</code> and click <code>Apply</code>.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/search_for_mac_address_menu.png" style="width: 320.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/search_for_mac_address_dialog.png" style="width: 526.6666666666666px;">
</figure>
<p>This will instantly filter the packets to display only <code>eth.src == 00:1f:f3:5a:77:9b</code> :</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/nitroba_pcap_eth_src_selected.png" style="width: 1460px;">
</figure>
<p>You can then right-click on the <code>src.ip</code> column header and select <code>Distinct values</code> to display the distinct values with their associated count/frequency:</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/nitroba_src_ip_distinct_values_menu.png" style="width: 322.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/nitroba_src_ip.png" style="width: 506px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 169.254.90.183, 192.168.1.64 and 169.254.20.167</p>
  </blockquote>
<h2 id="3-what-ip-source-and-destination-and-tcp-ports-source-and-destination-are-used-to-transfer-the-scenery-backgrounds-600-1el6noarchrpm-file">3. What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?</h2>
<p>Before loading this PCAP file, you will need to create a PCAP profile to select which fields to import in the application.
On the PCAP dialog, select <code>Manage profiles</code>, click on <code>New profile</code>, enter something meaningful like <code>FTP</code>, browse the <code>ftp-example.pcap</code> file to analyse the protocols it contains and select all the fields you are interested in like :</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="ln">1</span><span class="cl">eth.dst,eth.src,ip.dst,ip.src,tcp.srcport,tcp.dstport,ftp.request.arg,ftp.response.code,ftp.passive.ip,ftp.passive.port
</span></span></code></pre></div><p>Save the profile and open the <code>ftp-example.pcap</code> file with the <code>FTP</code> profile selected.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_pcap.png" style="width: 922.6666666666666px;">
</figure>
<p>Right-click on the <code>ftp.request.arg</code> column header, select <code>Distinct values</code> and click on the <code>scenery-backgrounds-6.0.0-1.el6.noarch.rpm</code> file.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_distinct_request_arg.png" style="width: 506.6666666666667px;">
</figure>
<p>This will display the only packet containing <code>scenery-backgrounds-6.0.0-1.el6.noarch.rpm</code> as its <code>ftp.request.arg</code> field. <br>
Right-click on the row index and select <code>Copy line index to clipboard</code>.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_copy_line_number.png" style="width: 1096px;">
</figure>
<p>Press the <code>g</code> key and paste the value <code>34956</code> corresponding to our packet.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_goto_line.png" style="width: 198px;">
</figure>
<p>Scroll-back a few rows until you see on the <code>ftp.response.code</code> column the value <code>227</code> which corresponds to &ldquo;Entering Passive Mode&rdquo;. <br>
We can then observe that the destination IP and port are <span style="text-decoration:underline; text-decoration-color:red">149.20.20.135:30472</span>.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_response_code_207.png" style="width: 1536px;">
</figure>
<p>Right-click on the <code>ip.src</code> value of the packet containing the file and select <code>Search for this value</code>, this will only keep packets with this IP as source.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_filter_src_ip_menu.png" style="width: 334.6666666666667px;">
</figure>
<p>Then right-click on the <code>tcp.dstport</code> value <code>30472</code> and select <code>Search for the value</code> to add another level of filtering which will keep only packets having our previously selected IP as source <strong>and</strong> <code>30472</code> as TCP destination port.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_filter_dst_port_menu.png" style="width: 602.6666666666666px;">
</figure>
<p>We can observe that the source IP and port are <span style="text-decoration:underline; text-decoration-color:red">192.168.75.29:51851</span>.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/ftp_dst_port_filtered.png" style="width: 1540px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 149.20.20.135:30472 and 192.168.75.29:51851</p>
  </blockquote>
<h2 id="5-what-is-the-byte-size-for-the-file-named-researched-sub-atomic-particlesxlsx">5. What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”?</h2>
<p>Create a <code>SMB</code> PCAP profile containing the following fields:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="ln">1</span><span class="cl">eth.dst,eth.src,ip.dst,ip.src,tcp.srcport,tcp.dstport,smb.file,smb.end_of_file
</span></span></code></pre></div><p>Then import the <code>stark-20120403-full-smb_smb2.pcap</code> file using the newly created <code>SMB</code> profile.</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/smb_dataset.png" style="width: 1004.6666666666666px;">
</figure>
<p>Filter the packets containing the text <code>Researched Sub-Atomic Particles.xlsx</code> in their <code>smb.file</code> field:</p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/smb_search_for_dialog.png" style="width: 524.6666666666666px;">
</figure>
<p>Then display the <code>Distinct values</code> of the column <code>smb.end_of_file</code></p>



<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/smb_distinct_end_of_file.png" style="width: 506px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> 13,625 bytes</p>
  </blockquote>
<h2 id="malware-beaconing">6. The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.</h2>
<p>Create a custom PCAP profile containing the following fields:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="ln">1</span><span class="cl">frame.time,eth.dst,eth.src,ip.dst,ip.src,tcp.srcport,tcp.dstport,data.data
</span></span></code></pre></div><p>Then import the <code>snort.log.1340504390.pcap</code> file using the newly created profile.</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/snort_pcap.png" style="width: 692px;">
</figure>
<p>Displaying the <code>Distinct values</code> of the <code>data.data</code> column and scrolling through the values seems to indicate that some of the data remains constant.</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/snort_data_distinct_values.png" style="width: 435px;">
</figure>
<p>But scrolling the 14,228 distinct values to check if this patterns applies to all of them would make our eyes bleed for sure. <br>
Wouldn&rsquo;t it be nice if we could instead visualize the integrality of the data content and <strong>prove</strong> it ?</p>
<p>Alright, let&rsquo;s do that by splitting the <code>data.data</code> field into the smallest addressable memory units: bytes. <br>
A few lines of Python code will be plenty enough to do that:</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/snort_python1.png" style="width: 441px;">
</figure>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">1</span><span class="cl"><span class="n">source</span> <span class="o">=</span> <span class="n">squey</span><span class="o">.</span><span class="n">source</span><span class="p">(</span><span class="s2">&#34;snort.log.1340504390.pcap&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="n">data</span> <span class="o">=</span> <span class="n">source</span><span class="o">.</span><span class="n">column</span><span class="p">(</span><span class="s2">&#34;data.data&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span><span class="o">/</span><span class="mi">2</span><span class="p">)):</span>
</span></span><span class="line"><span class="ln">4</span><span class="cl">    <span class="n">b</span><span class="o">=</span><span class="n">data</span><span class="o">.</span><span class="n">view</span><span class="p">(</span><span class="s1">&#39;&lt;U2&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">reshape</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">shape</span> <span class="o">+</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">,))[:,</span> <span class="n">i</span><span class="p">]</span>
</span></span><span class="line"><span class="ln">5</span><span class="cl">    <span class="n">source</span><span class="o">.</span><span class="n">insert_column</span><span class="p">(</span><span class="n">b</span><span class="o">.</span><span class="n">copy</span><span class="p">(),</span> <span class="sa">f</span><span class="s2">&#34;data_byte_</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">6</span><span class="cl"><span class="nb">str</span><span class="o">=</span><span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">8</span><span class="p">:</span><span class="mi">22</span><span class="p">])</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&#34;ASCII&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">7</span><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;data[4:10]=</span><span class="si">{</span><span class="nb">str</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span>
</span></span></code></pre></div><p>Now, it is crystal clear that along <strong>all</strong> the packets of the dataset, bytes 4 to 10 of the <code>data.data</code> field are always constant:</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/malware_beaconing.png" style="width: 1455px;">
</figure>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> bytes 4 to 10 (zero based), which represent the string &ldquo;ULQENP2&rdquo; in ASCII.</p>
  </blockquote>
<h2 id="7-bonus-identify-the-meaning-of-the-bytes-that-precede-the-substring-above">7. BONUS! Identify the meaning of the bytes that precede the substring above.</h2>
<p>There are 4 bytes preceding the static &ldquo;ULQENP2&rdquo; string: let&rsquo;s extract these as a new  uint32 integer column using the following Python code:</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/snort_python2.png" style="width: 501px;">
</figure>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">1</span><span class="cl"><span class="kn">import</span> <span class="nn">numpy</span> <span class="k">as</span> <span class="nn">np</span>
</span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="n">source</span> <span class="o">=</span> <span class="n">squey</span><span class="o">.</span><span class="n">source</span><span class="p">(</span><span class="s2">&#34;snort.log.1340504390.pcap&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="n">data</span> <span class="o">=</span> <span class="n">source</span><span class="o">.</span><span class="n">column</span><span class="p">(</span><span class="s2">&#34;data.data&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">4</span><span class="cl"><span class="n">b</span><span class="o">=</span><span class="n">data</span><span class="o">.</span><span class="n">view</span><span class="p">(</span><span class="s1">&#39;&lt;U8&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">reshape</span><span class="p">(</span><span class="n">data</span><span class="o">.</span><span class="n">shape</span> <span class="o">+</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">,))[:,</span> <span class="mi">0</span><span class="p">]</span>
</span></span><span class="line"><span class="ln">5</span><span class="cl"><span class="n">b_int</span><span class="o">=</span><span class="n">np</span><span class="o">.</span><span class="n">vectorize</span><span class="p">(</span><span class="k">lambda</span> <span class="n">t</span><span class="p">:</span> <span class="nb">int</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="k">if</span> <span class="n">t</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)(</span><span class="n">b</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">6</span><span class="cl"><span class="n">source</span><span class="o">.</span><span class="n">insert_column</span><span class="p">(</span><span class="n">b_int</span><span class="o">.</span><span class="n">copy</span><span class="p">(),</span> <span class="s2">&#34;data_first_4_bytes_as_uint32&#34;</span><span class="p">)</span>
</span></span></code></pre></div><p>Now, let&rsquo;s check if we can observe an evolution of this data through time by using a <a
  href="https://doc.squey.org/content/scatter_plot_view/content.html"
  
  target="_blank" rel="noopener noreferrer">scatter plot</a>.</p>


    


<figure>
<img src="/domains/cybersecurity/dfir-monterey-2015-network-forensics-challenge/images/4_first_bytes_is_time.png" style="width: 599px;">
</figure>
<p>Wait, it is not <em>evolving</em> through time, it <strong>is</strong> time.</p>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p><strong>Answer:</strong> A UNIX timesteamp.</p>
  </blockquote>
]]></description>
    </item>
    <item>
      <title>Bluecoat Proxy Big Analysis</title>
      <link>https://squey.org/domains/cybersecurity/bluecoat-proxy-big-analysis/</link>
      <pubDate>Sat, 29 Jul 2023 00:00:00 +0000</pubDate>
      <guid>https://squey.org/domains/cybersecurity/bluecoat-proxy-big-analysis/</guid>
        <description><![CDATA[<p>This article is a step-by-step tutorial aiming at loading and analyzing the <a
  href="http://log-sharing.dreamhosters.com/bluecoat_proxy_big.zip"
  
  target="_blank" rel="noopener noreferrer">bluecoat_proxy_big.zip</a> dataset from <a
  href="https://log-sharing.dreamhosters.com/"
  
  target="_blank" rel="noopener noreferrer">Public Security Log Sharing</a> in Squey.</p>
<p>The first section is devoted the creation of a parsing file that will allow us to load the dataset. Should you be in a hurry, you can skip straight to the <a
  href="/domains/cybersecurity/bluecoat-proxy-big-analysis/#loading-dataset"
  
  >analysis</a> as the file is provided below.</p>
<h2 id="parsing-file-creation">Parsing file creation</h2>
<p>Before being able to load the dataset into the application, a parsing file (called <code>format</code>) should be created using the <a
  href="https://doc.squey.org/content/format_builder/content.html"
  
  target="_blank" rel="noopener noreferrer">Format Builder</a> tool.</p>
<p>Click on the <code>Create a new format...</code> button located on the start page and then on the <code>Splitters</code> &gt; <code>add RegExp Splitter</code> menus.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/create_new_format.png" style="width: 414px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/create_regexp_splitter.png" style="width: 302px;">
</figure>
<p>Enter the following regular expression into the <code>Expression</code> text field:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) &#34;?(-|[^&#34;]*)&#34;? (\S+) (\S+) &#34;?(-|[^&#34;]*)&#34;? (\S+) (\S+)[ ]?&#34;?(-|[^&#34;]*)&#34;?[ ]?(\S+)?[ ]?&#34;?(-|[^&#34;]*)?&#34;?
</span></span></code></pre></div>


<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/edit_regexp.png" style="width: 832px;">
</figure>
<p>Then click on the <code>Set axes name</code> toolbar button and copy/paste the following columns name in the text dialog:</p>

  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p>date-time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-path cs-uri-query cs-username s-hierarchy s-supplier-name rs(Content-Type) cs(User-Agent) sc-filter-result sc-filter-category x-virus-id s-ip s-sitename x-virus-details x-icap-error-code x-icap-error-details</p>
  </blockquote>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/edit_axes_name_button.png" style="width: 306px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/edit_axes_name_dialog.png" style="width: 200px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/format_with_axes_name.png" style="width: 419.3333333333333px;">
</figure>
<p>Note:  thoses were extracted from the log file using the following command:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sed -n <span class="s1">&#39;4p&#39;</span> Demo_log_001.log <span class="p">|</span> cut -d<span class="s2">&#34; &#34;</span> -f2- <span class="p">|</span> sed <span class="s1">&#39;s/ /-/&#39;</span>
</span></span></code></pre></div><p>Loading a file of the dataset will now help you confirm that the data is appropriately parsed but will also automatically detect the types of the columns.</p>
<p>Click on the <code>File</code> &gt; <code>Local files...</code> menus and select one of the dataset log file.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/load_local_file.png" style="width: 302.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/load_local_file_dataset.png" style="width: 538.6666666666666px;">
</figure>
<p>Click on the <code>autodetect axes types</code> located in the bottom right corner of the dialog.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/local_file_loaded.png" style="width: 1535.3333333333333px;">
</figure>
<p>Finally, save the format as <code>squey.format</code> in the <code>bluecoat_proxy_big</code> directory</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/save_format.png" style="width: 498.6666666666667px;">
</figure>
<p>Note that <code>squey.format</code> is a catch-all name that will automatically match any dataset, and that&rsquo;s handy for datasets composed of several files. To match a specific dataset, say <code>dataset.csv</code>, name your format <code>dataset.csv.format</code>. If your format name doesn&rsquo;t match a dataset name, you will have to explicitely select it at loading by selecting <code>Format: custom format</code> and a dialog box will ask you to locate it on the disk.</p>
<h2 id="loading-dataset">Loading the dataset</h2>
<p>If not done previously:</p>
<ol>
<li>Download and extract the <a
  href="http://log-sharing.dreamhosters.com/bluecoat_proxy_big.zip"
  
  target="_blank" rel="noopener noreferrer">dataset</a> on your machine.</li>
<li>Download and and extract <a
  href="squey.format.zip"
  
  >squey.format.zip</a> in the same folder the dataset was extracted.</li>
</ol>
<p>Click on the <code>Local files...</code> button located on the <code>SOURCES</code> section of the start page and select the dataset log files.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/import_data_button.png" style="width: 150px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/open_local_files.png" style="width: 502px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/dataset_ingest.png" style="width: 308.6666666666667px;">
</figure>
<p>During the data ingest stage, it was found that 8,883 rows (~0,11%) were dismissed. <br>
A dialog is displaying them so you can confirm after inspection that they are all redundant headers and no other valuable data was left out.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/rejected_events.png" style="width: 578px;">
</figure>
<p>It took 16.22 seconds to load the dataset (4 text files, ~2.6GB uncompressed data) on an <a
  href="https://ark.intel.com/content/www/us/en/ark/products/132228/intel-core-i712700h-processor-24m-cache-up-to-4-70-ghz.html"
  
  target="_blank" rel="noopener noreferrer">Intel® Core™ i7-12700H Processor</a> and the memory consumption was ~5GB.</p>
<p>It took only 2.96 seconds to reload the saved investigation from disk (~1.1G binary data) as the data ingest stage alredy occured.</p>
<p>Note that in case your dataset is exceeding the available memory of your system, you can always <a
  href="https://doc.squey.org/content/format_builder/content.html#filters"
  
  target="_blank" rel="noopener noreferrer">filter out</a> some rows during the data ingest stage by applying custom exclusion rules to specific columns and make your analysis in several steps.</p>
<h2 id="visual-analysis">Visual analysis</h2>
<p>After loading the dataset, it is displayed in integrality using <a
  href="https://en.wikipedia.org/wiki/Parallel_coordinates"
  
  target="_blank" rel="noopener noreferrer">parallel coordinates</a>. <br>
To gain more knowledge about how the parallel coordinates work in Squey, please ensure to have read the <a
  href="https://doc.squey.org/content/global_pc_view/content.html"
  
  target="_blank" rel="noopener noreferrer">according section of the documentation</a>.</p>
<p>This dataset is composed of 8,130,590 rows and 26 columns and looks like this:</p>


    


<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/parallel_coordinates_full_dataset.png" style="width: 1455px;">
</figure>
<p>A first look at the displayed axes could already make us discover some facts worth of interest.</p>
<h3 id="dubious-cs-method">Dubious cs-method</h3>
<p>Anyone a bit familiar with proxies would probably ask himself why the <code>cs-method</code> column is containing so much different values ?</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/cs-method_column.png" style="width: 592px;">
</figure>
<p>A right-click on the <code>cs-method</code> column header and selecting <code>Distinct values</code> display each distinct values as well as their associated count.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/distinct_values_menu.png" style="width: 322px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/garbage_in_cs-method_column.png" style="width: 578px;">
</figure>
<p>We can then observe that many of them do not look to methods of standardized protocols but seem rather unusual.</p>
<p>Before going any further, let&rsquo;s clear our mind from any doubt that this could come from a corruption during the data download or ingest stage.</p>
<p>Here are the SHA-256 checkums of the files composing the dataset:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>/srv/data/bluecoat_proxy_big<span class="o">]</span>$ sha256sum *
</span></span><span class="line"><span class="cl">db1b8371cbee4a6ff3755c11d5aad81aab4661449b0c5eac14f2f93b9b0b0bf9  Demo_log_001.log
</span></span><span class="line"><span class="cl">8ff4858536215473e752db29537e46f598e79dd9985f15eedda85115d3c4fd0f  Demo_log_002.log
</span></span><span class="line"><span class="cl">18759422a0836e61ddc1f2877ba7ae516179f07675a39e2fa8d9bf6baa238731  Demo_log_003.log
</span></span><span class="line"><span class="cl">27139f8d611686127733e2a0eaf67eaf12e616332bc2cc281ec50af4984518b3  Demo_log_004.log
</span></span></code></pre></div><p>And here are some of the rows extracted from the original data:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sed -n <span class="s1">&#39;981185p; 1070757p; 1151521p; 1168033p; 1252127p; 1516636p; 1570191p; 1613877p; 1817343p; 1843350p; 1844162p; 1844203p; 1844351p; 1847392p; 1847641p; 1847644p; 1861554p; 2185718p; 2561934p; 2648396p; 2747923p; 2962884p; 2962885p; 2963953p; 3019317p; 3023657p; 3164071p; 3165808p; 3172156p; 3329713p; 3382352p; 3591245p; 3709973p; 3741054p; 3743310p; 3745850p&#39;</span> Demo_log_003.log
</span></span></code></pre></div>
  <blockquote
    
    class="blockquote border-start ps-3 py-1 border-primary border-4">
    <p>2005-05-03 16:36:32 3598 45.112.1.58 400 TCP_NC_MISS 9036 4294967282 <span style="color:orange"><strong>%03</strong></span> - - / - - NONE 192.16.170.44 - - PROXIED unavailable - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 17:30:50 10031 45.116.1.30 0 TCP_ERR_MISS 0 12 <span style="color:orange"><strong>7</strong></span> - - / - - NONE - - - PROXIED none - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 18:07:26 1 45.116.1.30 400 TCP_NC_MISS 9036 12 <span style="color:orange"><strong>%0B%16c</strong></span> - - / - - NONE 192.16.170.44 - - PROXIED unavailable - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 18:16:30 1 45.116.1.30 400 TCP_NC_MISS 9036 12 <span style="color:orange"><strong>%B8X�</strong></span> - - / - - NONE 192.16.170.44 - - PROXIED unavailable - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 19:01:13 1922 45.14.2.150 0 TCP_ERR_MISS 0 16 <span style="color:orange"><strong>|*[%FA</strong></span> - - / - - NONE - - - PROXIED none - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 21:33:05 459 45.14.3.123 0 TCP_ERR_MISS 0 16 <span style="color:orange"><strong>%F9</strong></span> - - / - - NONE - - - PROXIED none - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-03 22:02:36 485 45.114.2.68 0 TCP_ERR_MISS 0 16 <span style="color:orange"><strong>%9A%9C%01�</strong></span> - - / - - NONE - - - PROXIED none - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-04 00:08:09 1 45.21.4.254 400 TCP_NC_MISS 9036 34 <span style="color:orange"><strong>recipientid=100&amp;sessionid=1516</strong></span> - - / - - NONE 192.16.170.44 - - PROXIED unavailable - 192.16.170.44 SG-HTTP-Service - - - <br>
2005-05-04 00:35:42 9 45.114.3.11 400 TCP_NC_MISS 9036 679 <span style="color:orange"><strong>&lt;?xml</strong></span> - - / - - NONE 192.16.170.44 - - PROXIED unavailable - 192.16.170.44 SG-HTTP-Service - - -</p>
  </blockquote>
<p>As we can see, these were well present in the original data.</p>
<p>This leaves us with at leat two hypotheses.</p>
<p>First, this could be a bug in the proxy OS that could arise under heavy load. In that case, it could be useful to take some mitigation measures like upgrading the sofware, monitoring the CPU usage, reducing the bandwidth usage, redesigning some part of the network or upgrading the hardware.</p>
<p>Secondly, this could be bogus communications of faulty apps that could be reported upstream, or malicious communications that should be further investigated.</p>
<h3 id="exporting-our-first-discovery">Exporting our first discovery</h3>
<p>Let&rsquo;s export this isolated data subset for a potential investigation before focusing on our main analysis.</p>
<p>There is two ways to isolate these dubious <code>cs-method</code> values:</p>
<ol>
<li>Select any wanted values from the <code>Distinct values</code> dialog</li>
<li>Filter out valid values by applying a search regular expression</li>
</ol>
<p>Let&rsquo;s try the second approach:  right-click on any values of the listing in the <code>cs-method</code> column, select <code>Search for...</code>, copy the following regular expression <code>[A-Za-z_]*</code>, select <code>exclude</code> and <code>Regular expressions</code> and click apply:</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/search_context_menu.png" style="width: 286.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/search_regexp.png" style="width: 526px;">
</figure>
<p>This instantly filtered our dataset:</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/regex_filtered_dataset.png" style="width: 916px;">
</figure>
<p>Displaying the distinct values of the <code>cs-method</code> column now only shows the selected values:</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/dubious_cs-method_distinct_values.png" style="width: 818px;">
</figure>
<p>We can then export the selected rows by clicking on the <code>File</code> &gt; <code>Export</code> &gt; <code>Selection</code> menus. <br>
On-the-fly compression is supported with the following formats:  gz, bz2, zip and xz.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/export_selection_menu.png" style="width: 316.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/export_selection_dialog.png" style="width: 596px;">
</figure>
<p>The dataset has been exported to <a
  href="dubious_cs-method.csv.xz"
  
  >dubious_cs-method.csv.xz</a> (5.1KB). <br>
It can easily be loaded back into the application with on-the-fly decompression, headers and columns type autodetection.</p>
<p>


<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/format_detection1.png" style="width: 498px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/format_detection2.png" style="width: 468px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/format_detection3.png" style="width: 272px;">
</figure></p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/dubious_cs-method_dataset.png" style="width: 922.6666666666666px;">
</figure>
<h3 id="creating-our-first-layer">Creating our first layer</h3>
<p>Note that inverting the selected rows can be done by clicking on the <code>Selection</code> menu and selecting <code>Invert selection (I)</code>. <br>
The <code>Distinct values</code> dialog is then automatically updated to display the trusful <code>cs-method</code> values and their associated count/percentage:</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/invert_selection_menu.png" style="width: 326.6666666666667px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/trustful_cs-method_distinct_values.png" style="width: 506px;">
</figure>
<p>This should give us a better understanding of the different protocols at work.</p>
<p>To confortably continue our analysis, let&rsquo;s isolate the current selected rows in an active <a
  href="https://doc.squey.org/content/layer_stack_view/content.html"
  
  target="_blank" rel="noopener noreferrer">layer</a> so that these dubious <code>cs-method</code> values won&rsquo;t stood in the way anymore. Click on the <code>Selection</code> &gt; <code>Create new layer from selection (Alt+K)</code> menus and give your layer the name you want.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/create_layer.png" style="width: 332px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/layerstack.png" style="width: 268px;">
</figure>
<p>As you can see on the layer stack, our active dataset is now restricted to the rows with trustful <code>cs-method</code> values:  we let aside 744 identified rows.</p>
<h3 id="back-to-our-main-analysis">Back to our main analysis</h3>
<p>Should there be a bandwidth problem, let&rsquo;s try to understand how it is distributed across the traffic.</p>
<p>Note:  coloring the rows using a gradient of color depending on the size of the requests can opionally be done by clicking on <code>Filters</code> &gt; <code>Axis gradient</code> menus and selecting the <code>sc-bytes</code> axis.</p>
<p>Right-click on the <code>sc-bytes</code> axis title, select <code>New selection cursor</code> and select the top of the axis to filter high values.</p>
<p>We can see which requests are consuming a lot of bandwidth as well as their associated hosts. This is interesting but we are still missing the big picture as lots of contents are not fetch in a single request but with many of them.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/huge_sc-bytes.png" style="width: 918.6666666666666px;">
</figure>
<p>It would be nice if we could aggregate values of a selected column by doing a sum on numeric values located on another column.
Fortunately we can do this easily using the <code>Sumby</code> function.</p>
<p>First, remove the selection cursors by right-clicking on one of them and select <code>Remove cursors</code>, then click on the <code>Selection</code> &gt; <code>Select all events</code> menus.</p>
<p>


<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/remove_selection_cursors.png" style="width: 208.66666666666666px;">
</figure>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/select_all_events.png" style="width: 332.6666666666667px;">
</figure></p>
<p>Finally, right-click on the header of the <code>c-ip</code> column, select <code>Sum by</code> and then click on the <code>sc-bytes</code> column.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/sumby_menu.png" style="width: 428.6666666666667px;">
</figure>
<p>This displays the distinct values contained in the <code>c-ip</code> column, but instead of displaying a count based on the frequency of which they appears, the dialog now displays their consumed bandwidth.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/sumby_c-ip_sc-bytes.png" style="width: 506.6666666666667px;">
</figure>
<p>To gain even more information about the supposed types of traffic of each IPs, we can display the consumed bandwidth of each hosts. Right-click on the header of the <code>cs-host</code> column, select <code>Sum by</code> and then click on the <code>sc-bytes</code> column.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/sumby_cs-host_sc-bytes.png" style="width: 520.6666666666666px;">
</figure>
<p>What could really came in handy is that selecting a specific IP will instantly filter the dataset and refresh the second dialog, revealing the bandwidth repartition by hosts for this IP.</p>



<figure>
<img src="/domains/cybersecurity/bluecoat-proxy-big-analysis/images/sumby_c-ip_cs-host_sc-bytes.png" style="width: 1028.6666666666667px;">
</figure>
<p>In this case, we can for example observe than IP <code>45.114.1.163</code> has downloaded ~3.43GB from <code>liveupdate.symantecliveupdate.com</code>, which represents 95.9% of its total traffic.</p>
<h3 id="continue-the-exploration-on-your-own">Continue the exploration on your own</h3>
<p>Now that you master the basic features of Squey, feel free to continue exploring this dataset to discover additional insights.</p>
]]></description>
    </item>
  </channel>
</rss>