Home > Forensics, Network Analysis > Squid Timeline analysis

Squid Timeline analysis

June 24th, 2009 Leave a comment Go to comments

Sometimes it can be useful to know at what time a malware starts communicating to the outside world, and often it is done through HTTP or HTTPS.  So it can be quite useful to examine network log files to determine the initial time that the malware started to communicate to the C&C.

One method in doing so would be to use the tool mactime from TSK to read Squid access log, you only need to modify the access log so it is contained in a bodyfile.  So I wrote the script squid2timeline that achieves that. The usage of the script is:

squid2timeline -c CONFIG [-l] [-h HOST] [ACCESS]
 Where CONFIG refers to the configuration file of squid, usually /etc/squid/squid.conf
 The script then reads the variables needed to determine the correct format of the squid
 access file and the location of the current squid access file.
 Optional: ACCESS defines the access file to read, otherwise the current one as it is
 defined in the squid.conf file will be read.

squid2timeline [-l] [-h HOST] [-e] ACCESS
 -e Indicates that the access file is constructed using emulate_h t t p d_log on
 Otherwise (the default behaviour) emulate_h t t p d_log will be assumed to be off

 [-l] Defines a legacy timeline format as used by TSK version 1.X and 2.X,
 otherwise version 3.0+ is assumed.

 [-h HOST] defines a host name to be included in the timeline.

So one example of the usage of this script is to map the timeline of one individual IP address that is infected, or suspected of being infected, from the access log file and run it through the script and mactime.

grep 10.1.1.1 access.log.1 > access.log_10.1
squid2timeline access.log_10.1 > body
mactime -b body -i hour summary -d > timeline.csv

The content of the file “timeline.csv” would then be a timeline in a CSV format and the file “summary” contains an hourly summary of the traffic.  If we examine the content of the summary file it looks like this:

Hourly Summary for Timeline of body

Mon Jun 22 2009 04:00:00, 835
Mon Jun 22 2009 05:00:00, 945
Mon Jun 22 2009 06:00:00, 807
Mon Jun 22 2009 07:00:00, 814
Mon Jun 22 2009 08:00:00, 810
Mon Jun 22 2009 09:00:00, 804
Mon Jun 22 2009 10:00:00, 879
Mon Jun 22 2009 11:00:00, 1680
Mon Jun 22 2009 12:00:00, 1789
Mon Jun 22 2009 13:00:00, 1023
....

So a unusual spike appears in the traffic around 11:00, something that could be an indication of an infection.  This than can assist the analyst to focus the investigation on that timeline.

Categories: Forensics, Network Analysis Tags:
  1. No comments yet.
  1. No trackbacks yet.
-->