GCIH · Question #667
Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?
The correct answer is B. Consistent set of user agents. A small single-office business typically standardizes on a limited number of browsers and devices, so a consistent set of HTTP user agent strings in squid proxy logs is a normal, expected baseline finding.
Question
Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?
Options
- AIncrementing protocol numbers
- BConsistent set of user agents
- CSequential protocol methods
- DPredictable set of session identifiers
How the community answered
(46 responses)- A4% (2)
- B76% (35)
- C13% (6)
- D7% (3)
Why each option
A small single-office business typically standardizes on a limited number of browsers and devices, so a consistent set of HTTP user agent strings in squid proxy logs is a normal, expected baseline finding.
Incrementing protocol numbers in proxy logs suggest automated or crafted traffic such as scanning activity and are anomalous rather than a normal expected finding.
In a small business with one physical location, employees share a standardized computing environment with a predictable selection of browsers and operating systems, producing a narrow and repeatable set of HTTP user agent strings in outbound proxy traffic. An analyst reviewing squid logs would expect to see the same few user agents repeatedly throughout the day and should treat newly appearing or exotic user agents as potentially anomalous. Consistency of user agents serves as a useful baseline indicator because deviation from that baseline can signal malware, unauthorized devices, or scripted automation.
Sequential protocol methods are not a characteristic pattern of legitimate user-driven web browsing and would raise suspicion of scripted or automated traffic.
Predictable session identifiers represent a security vulnerability in session management and are not an expected or normal characteristic of legitimate proxy log traffic.
Concept tested: Baseline normal user agent analysis in proxy logs
Topics
Community Discussion
No community discussion yet for this question.