legal contact rss
 

Proxy logs (squid)

Unusual proxy usage where proxy has blocked access

Count of blocked HTTP hosts by country (of user) over time 

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious)  error="" | rex field=_raw " action=\"(?<action>.+?)\" "| search action=block | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | timechart limit=20 dc(httphost) by dvc_city

Originator of blocked requests 

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious)  error=""  | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | rex field=_raw " action=\"(?<action>.+?)\" " | fillnull value=80 httpport | search action="block"  | stats dc(domain) as uniqdomcount,count(domain) as domaccessedcount, values(domain) as domlist by srcip, dvc_city, dvc_dns | where uniqdomcount>4 | sort -uniqdomcount,-domaccessedcount | table srcip, uniqdomcount, domaccessedcount, dvc_city

Top blocked domains (all sites)

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | rex field=_raw " action=\"(?<action>.+?)\" " | search action="block"  |  top limit=40 domain

Blocked Proxy events (uncategorised, unverified or malicious)

 sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) error=""  | rex field=_raw " action=\"(?<action>.+?)\" "| search action=block | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport |  eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | table _time, srcip, dvc_city, domain, reputation, categoryname, reason, action, name, httpport, ua, url