AnsweredAssumed Answered

Extracting filenames from Ironport Proxy Logs

Question asked by KEVIN DIENST on Oct 20, 2016
Latest reply on Oct 21, 2016 by Christopher Ahearn

lua parsing proxy ironport Christopher Ahearn

 

I have a question regarding how feasible it is to extract from an ironport proxy log the value after the last / in a URL?

 

example:

 

httpX://www.badsite.com/attacker/firefox_updater.exe

 

I want to extract everything after that last slash. I tweaked a regex and it works, but since app rules just do true/false for regex, not parsing, I assume I may have to use a Lua parser to extract that information. 

Sample Regex: (?:[^\/][\d\w\.\-]+)$(?<=(?:.))

Link to Lua on patterns: lua-users wiki: Patterns Tutorial 

 

1. Yes I know there is a ton of stuff after that / that will be completely garbage, not related to any actual filename. 

2. We already index url meta from the ironports, yes the index is massive (a few billion unique entries a day) but we have to be able to search against that content, even then however using url contains ".exe" over a long period of time isn't fast for our analysts. 

 

If there is another method to do this I'm open to that, if it isn't really feasible, how is the community doing this type of searching today? 

 

Use Case: I found out that machine A got malware from httpX://www.badsite.com/attacker/firefox_updater.exe and want to see if the attacker may be hosting this same malicious file across other throw away sites. 

 

Thanks!

Outcomes