Web Activity Logs help

Which of the malicious URLs was likely contacted over a non-HTTP/HTTPS protocol? Select all that apply. GitHub - dogless-atoms/ubik

B. acacia-tree-for-me.corp
C. weyland-yutani-corp.store
D. Imgur: The magic of the Internet

I got the answer but do not understand what in the events log is the key to focus on that makes that selection obvious?

Hey @JonSan7253!!

The key here is in the decoder (decoder.name) that triggered the Alert and/or Event in your SIEM.

In the Guided part of this lab, we noted the two log sources feeding our SIEM:

  1. A web proxy (i.e., the Squid web proxy, which in Wazuh’s decoder.name field is identifiable as squid-accesslog). Web proxies are capturing all web (HTTP/HTTPS) requests made.
  2. A name server (i.e., the “Named” nameserver, which in Wazuh’s decoder.name field is identifiable as named-query). Nameservers are responsible for all Domain > IP resolutions (I need the IP associated with this domain before I can connect to the server hosting it).

Now, if I try to reach google.com, two things happen:

  1. Some name server is queried to resolve google.com to an IP address.
  2. Then I connect over whatever protocol I’m trying to reach it through, whether that’s FTP, HTTP, HTTPS, SMB, etc…

Knowing this, if I see an entry that was logged by the nameserver (named-query), but NOT the web proxy (squid-accesslog), this would indicate ONLY DNS resolution happened, but not a subsequent web request. There’s only one answer that fits this description (i.e., you’ll see all of these URLs were logged by the Squid web proxy, except for one).

Let me know if that makes sense. Happy hacking!

Note: This is slightly simplified, as sometimes the DNS > IP mapping is already on your system, which gets queried first. In which case, you won’t see this URL in the named-query log either. But, the point is that the right answer is the only one of the four URLs that doesn’t show up in your Squid web proxy logs.

1 Like