[squid-users] Re: Squid log details - HTTPS tunnel detection

From: Markus Moeller <huaraz@dont-contact.us>
Date: Wed, 23 May 2007 19:25:24 +0100

"Henrik Nordstrom" <henrik@henriknordstrom.net> wrote in message
news:1179939625.31121.48.camel@henriknordstrom.net...
>ons 2007-05-23 klockan 17:46 +0100 skrev Markus Moeller:
>> Is it possible to log the bytes in and out of a connection made with the
>> CONNECT method. ? I am looking at identifying users misusing the SSL
>> connection as a "remote access" solution and was wondering if byte
>> in/byte
>> out ratios could be used to identify the misuse without decrypting the
>> session.
>
>Squid only keeps a single total counter for CONNECT requests. To get
>them split you need to extend the code to keep two counters.

Do you have a pointer where in the code I have to look for it ?

>
>> Are there other known ways besides IP-address/hostname blacklisting to
>> identify HTTPS tunnels ?
>
>Most isn't actually using SSL, so a IDS system looking for odd traffic
>in CONNECT requests will trap many of them (but not all).

Correct. But I am specifically interested in the bad guys which use SSL.

>
>Regards
>Henrik

Thank you
Markus
Received on Wed May 23 2007 - 12:26:51 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT