nerdexam
GIAC

GCIH · Question #667

Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?

The correct answer is B. Consistent set of user agents. A small single-office business typically standardizes on a limited number of browsers and devices, so a consistent set of HTTP user agent strings in squid proxy logs is a normal, expected baseline finding.

Incident Response & Cyber Kill Chain

Question

Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?

Options

  • AIncrementing protocol numbers
  • BConsistent set of user agents
  • CSequential protocol methods
  • DPredictable set of session identifiers

How the community answered

(46 responses)
  • A
    4% (2)
  • B
    76% (35)
  • C
    13% (6)
  • D
    7% (3)

Why each option

A small single-office business typically standardizes on a limited number of browsers and devices, so a consistent set of HTTP user agent strings in squid proxy logs is a normal, expected baseline finding.

AIncrementing protocol numbers

Incrementing protocol numbers in proxy logs suggest automated or crafted traffic such as scanning activity and are anomalous rather than a normal expected finding.

BConsistent set of user agentsCorrect

In a small business with one physical location, employees share a standardized computing environment with a predictable selection of browsers and operating systems, producing a narrow and repeatable set of HTTP user agent strings in outbound proxy traffic. An analyst reviewing squid logs would expect to see the same few user agents repeatedly throughout the day and should treat newly appearing or exotic user agents as potentially anomalous. Consistency of user agents serves as a useful baseline indicator because deviation from that baseline can signal malware, unauthorized devices, or scripted automation.

CSequential protocol methods

Sequential protocol methods are not a characteristic pattern of legitimate user-driven web browsing and would raise suspicion of scripted or automated traffic.

DPredictable set of session identifiers

Predictable session identifiers represent a security vulnerability in session management and are not an expected or normal characteristic of legitimate proxy log traffic.

Concept tested: Baseline normal user agent analysis in proxy logs

Topics

#proxy log analysis#user agent analysis#anomaly detection#baseline behavior

Community Discussion

No community discussion yet for this question.

Full GCIH Practice