Proxy and Firewall Analysis

Purpose and Scope

Web proxy and firewall logs provide visibility into network traffic at the perimeter and internal boundaries. This playbook covers analysis techniques for detecting C2 communication, data exfiltration, policy violations, and other threats using proxy and firewall data.

Prerequisites

• Proxy logs: Web proxy with full URL logging and user attribution
• Firewall logs: Allow and deny logs with source, destination, port, and application
• SIEM access: Query capability across network logs
• Threat intelligence: IOC feeds for domain and IP reputation
• Baseline: Understanding of normal traffic patterns

Key Data Fields

Web Proxy Logs

• Timestamp: When the request occurred
• Source IP: Client making the request
• User: Authenticated user if available
• HTTP method: GET, POST, CONNECT, etc.
• URL/URI: Full requested resource
• Host: Destination domain
• User agent: Client application identifier
• Response code: HTTP status
• Bytes: Request and response sizes
• Category: URL categorization if available
• Action: Allowed, blocked, warned

Firewall Logs

• Timestamp: When the connection occurred
• Source IP and port: Initiating host
• Destination IP and port: Target host and service
• Protocol: TCP, UDP, ICMP
• Application: Identified application if available
• Action: Allow, deny, drop
• Bytes/packets: Transfer volumes
• Session duration: Connection length
• Rule: Which firewall rule matched

Hunting Hypotheses

Command and Control Communication

Malware communicates with attacker infrastructure:

• Connections to known bad IPs or domains
• Beaconing patterns (regular intervals)
• Long duration connections
• Unusual ports or protocols
• Connections to recently registered domains

Data Exfiltration

Attackers extract data from the network:

• Large outbound transfers, especially to unusual destinations
• Uploads to cloud storage or file sharing services
• Connections to Tor or anonymizing proxies
• DNS tunneling (large or encoded DNS queries)
• Encrypted traffic to non standard ports

Policy Violations

Users bypassing security controls:

• Proxy bypass attempts
• Use of unauthorized VPN or proxy services
• Access to blocked categories
• Shadow IT and unapproved cloud services

Analysis Techniques

Beaconing Detection

C2 often uses regular callback intervals:

• Group connections by source and destination
• Calculate time intervals between connections
• Flag consistent intervals (jitter aware)
• Look for patterns at common beacon rates (60s, 300s, 3600s)

Splunk example:

index=proxy
| sort 0 src_ip, dest_host, _time
| streamstats current=f last(_time) as prev_time by src_ip, dest_host
| eval interval = _time - prev_time
| stats count, avg(interval) as avg_interval, stdev(interval) as stdev_interval by src_ip, dest_host
| where count > 20 AND stdev_interval < 60
| sort avg_interval

User Agent Analysis

Unusual user agents may indicate malware:

• Rare user agents in the environment
• User agents not matching the operating system
• Known malware user agent strings
• Missing or malformed user agents

Domain Analysis

• High entropy domain names (DGA detection)
• Newly registered domains
• Domains with unusual TLDs
• Long subdomains (potential data encoding)
• Domains not matching expected business traffic

Volume Anomalies

• Users with unusually high upload volumes
• Hosts with connection counts far above baseline
• Large transfers during off hours
• Sudden spikes in external traffic

Hunting Queries

Outbound to Rare Destinations

Splunk:

index=firewall action=allow direction=outbound
| stats count by dest_ip
| where count < 5
| lookup geoip dest_ip OUTPUT country
| table dest_ip, count, country

Large Uploads

Splunk:

index=proxy method=POST
| stats sum(bytes_out) as total_upload by user, dest_host
| where total_upload > 100000000
| sort -total_upload

Blocked Then Allowed

Attacker may probe until finding allowed path:

index=proxy src_ip=* dest_host=*
| transaction src_ip, dest_host maxspan=1h
| search action=blocked AND action=allowed
| table _time, src_ip, dest_host, action

HTTP to Suspicious Ports

index=proxy dest_port NOT IN (80, 443, 8080, 8443)
| stats count by dest_host, dest_port
| sort -count

Firewall Deny Analysis

Denied connections reveal reconnaissance and policy violations:

• Internal hosts scanning internal ranges
• Blocked outbound to known bad IPs
• Repeated connection attempts to blocked services
• East west traffic that should not exist

index=firewall action=deny
| stats count by src_ip, dest_ip, dest_port
| where count > 100
| sort -count

Correlation with Other Sources

Proxy to Endpoint

• Match proxy requests to endpoint process creation
• Identify which process made a suspicious request
• Correlate file downloads with endpoint file creation

Proxy to DNS

• Match DNS queries to subsequent proxy requests
• Identify DNS queries without corresponding proxy traffic (bypass)
• Detect DNS based exfiltration that bypasses proxy

Firewall to Authentication

• Correlate lateral movement in firewall logs with authentication events
• Match denied traffic to user sessions
• Identify which user account is associated with suspicious traffic

Validation and False Positives

• Legitimate automation: Monitoring systems, updates, and backups generate traffic
• Cloud services: SaaS applications may have unusual patterns
• CDN and shared hosting: Multiple sites on same IP
• VPN and remote work: Traffic patterns differ from on premise

Build context with asset inventory and application documentation.

Escalation Guidance

Escalate when analysis reveals:

• Confirmed C2 communication to malicious infrastructure
• Evidence of data exfiltration
• Malware beaconing from multiple hosts
• Successful bypass of security controls
• Suspicious traffic from privileged systems

References

• MITRE ATT&CK: Command and Control (TA0011)
• MITRE ATT&CK: Exfiltration (TA0010)
• SANS: Finding Beacons in the Dark
• Splunk Security Essentials
• Palo Alto Networks firewall log reference
• Squid proxy log format documentation