# Apache/Proxy Log Events

## Load modules

In [1]:
import log_printer

## Apache Logs

Apache log messages have the following format:

0      | 1             | 2           | 3     | 4      | 5     | 6
-------|---------------|-------------|-------|--------|-------|-------------------------------------------------------------------------------------------------------------------------
`"GET` | `/index.html` | `HTTP/1.1"` | `200` | `4231` | `"-"` | `"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"`

The fields of interest are 3, 0, and 1, and that order keeps things roughly aligned.

### PHP

Log events related to attempts to access content with `/wordpress/wp-login.php` or `/mediawiki/index.php` in the URI

In [2]:
log_printer.print_matched_events('../../logs/access.log', 'apache', 'php', [3,0,1])

### CGI

Log events related to attempts to access content with `cgi-bin/test_cgi` or `cgi_bin/htsearch` in the URI

In [3]:
log_printer.print_matched_events('../../logs/access.log', 'apache', 'cgi', [3,0,1])

## Proxifier Logs

### Proxy Opened

Proxy opened messages have the following format:

0             | 1   | 2                     | 3      | 4         | 5       | 6                           | 7
--------------|-----|-----------------------|--------|-----------|---------|-----------------------------|---------
`Program.exe` | `-` | `hostname.example:80` | `open` | `through` | `proxy` | `proxy.domain.example:5070` | `HTTPS`

The fields of interest are 0, 2, and 6.

In [4]:
log_printer.print_matched_events('../../logs/Proxifier_2k.log', 'qq', 'proxy_opened',[0,2,6])

QQ.exe tcpconn.tencent.com:80 proxy.cse.cuhk.edu.hk:5070
QQ.exe 183.60.49.182:443 proxy.cse.cuhk.edu.hk:5070
QQ.exe tcpconn3.tencent.com:443 proxy.cse.cuhk.edu.hk:5070
QQ.exe tcpconn6.tencent.com:80 proxy.cse.cuhk.edu.hk:5070
QQ.exe tcpconn6.tencent.com:443 proxy.cse.cuhk.edu.hk:5070
QQ.exe cgi.qqweb.qq.com:80 proxy.cse.cuhk.edu.hk:5070
QQPlayer.exe btrace.qq.com:80 proxy.cse.cuhk.edu.hk:5070
QQPlayer.exe btrace.qq.com:80 proxy.cse.cuhk.edu.hk:5070
QQProtectUpd.exe qdun-data.qq.com:443 proxy.cse.cuhk.edu.hk:5070


### Proxy Closed

Proxy closed messages have the following format:

0             | 1   | 2                     | 3        | 4     | 5       | 6       | 7   | 8       | 9           | 10         | 11   | 12
--------------|-----|-----------------------|----------|-------|---------|---------|-----|---------|-------------|------------|------|-------
`Program.exe` | `-` | `hostname.example:80` | `close,` | `133` | `bytes` | `sent,` | `0` | `bytes` | `received,` | `lifetime` | `<1` | `sec`

The fields of interest are 0, 2, 4. and 7.

In [5]:
log_printer.print_matched_events('../../logs/Proxifier_2k.log', 'qq', 'proxy_closed', [0,2,4,7])

QQ.exe tcpconn.tencent.com:80 133 0
QQ.exe tcpconn3.tencent.com:80 0 0
QQ.exe tcpconn6.tencent.com:443 0 0
QQ.exe tcpconn6.tencent.com:80 0 0
QQ.exe tcpconn3.tencent.com:443 149 121
QQ.exe cgi.qqweb.qq.com:80 477 448
QQ.exe qqmail.tencent.com:80 336 2854
QQ.exe showxml.qq.com:80 600 1716
QQ.exe 2052.flash2-http.qq.com:80 466 125682
QQProtectUpd.exe qdun-data.qq.com:443 261 70


# Questions

*What is your interpretation of the results that you discovered (Did the files match known threat intell information?  Was there activity to and from the same remote host?)*

The log entries seem, at a glance, to be consistent with the threat actor's *modus operandi*, but only at a surface level. Looking into it, all of the domains that the `QQ.*\.exe` programs connected to appear to be subdomains of to `tencent.com` and `qq.com`, and a [quick DuckDuckGo search](https://duckduckgo.com/tencent%20qq?ia=web) results in information indicating that Tencent QQ is an IM service offered by Chinese tech giant Tencent, and with that knowledge, it appears that the logs are simply records of someone accessing QQ-related services via a proxy at the Chinese University of Hong Kong - the only proxy domain is a proxy on their website - `proxy.cse.cuhk.edu.hk`, with `cuhk.edu.hk` being the domain name for the aforementioned university.

*What did you like the most and least about this assignment?*

Not much to say here, to be honest. I enjoyed messing around with regular expressions, until the point in which a comma in my regex pattern broke my whole script - it was treated as plain text by [The Silver Searcher (`ag`)](https://github.com/ggreer/the_silver_searcher), a command-line tool to search for regex matches all files in a direcory that I used to quickly test my new regex patterns and craft the above tables, but I'd forgotten that `log_check.py` splits the regex patterns at commas. So to sum up, what I liked most and least about this assignment was working with regular expressions.

*What additional questions do you have about this week's material?*

None come to mind.