I have squid proxy log that I want to mine for persistent connections from my client workstations to the internet (ie: teamviewer, gotomypc, spyware C&C, etc).
Looking to do a search to determine if clients connect to the same URL or IP address during each 1 hour period of the prior 24 hours.
I have started with this search:
index=proxy | bucket _time span=1h | stats count by _time,user,url | sort - user
Which gives me a list of all urls by user by count, I think I need to then search this query for all occurrences by user by hour for each URL to determine if they are in all 24 hour periods.
Suggestions? Thoughts? Thanks
↧
How to generate a search to find persistent connections between client workstations to the internet?
↧