"Henrik Nordstrom" <henrik@henriknordstrom.net> wrote in message
news:1179939625.31121.48.camel@henriknordstrom.net...
>ons 2007-05-23 klockan 17:46 +0100 skrev Markus Moeller:
>> Is it possible to log the bytes in and out of a connection made with the
>> CONNECT method. ? I am looking at identifying users misusing the SSL
>> connection as a "remote access" solution and was wondering if byte
>> in/byte
>> out ratios could be used to identify the misuse without decrypting the
>> session.
>
>Squid only keeps a single total counter for CONNECT requests. To get
>them split you need to extend the code to keep two counters.
Do you have a pointer where in the code I have to look for it ?
>
>> Are there other known ways besides IP-address/hostname blacklisting to
>> identify HTTPS tunnels ?
>
>Most isn't actually using SSL, so a IDS system looking for odd traffic
>in CONNECT requests will trap many of them (but not all).
Correct. But I am specifically interested in the bad guys which use SSL.
>
>Regards
>Henrik
Thank you
Markus
Received on Wed May 23 2007 - 12:26:51 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT