Re: [squid-users] Re: Squid log details - HTTPS tunnel detection

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 28 May 2007 22:20:44 +0200

mån 2007-05-28 klockan 14:44 +0100 skrev Markus Moeller:

> So it looks like it could help determining malicious use of proxies even if
> only few shell commands are executed.

Don't forget POST requests, which may give any ratio <> 1 depending on
the use..

Someone POST:ing a large file to a simple page (or smaller than the
POST:ed data): < 1

Someone POST:ing small amount to a large page: > 1

And with all the Web2.0 stuff being done these days you'll never really
know..

A packet size distribution might work more reliably. ssh, imap, pop etc
has a lot of very small command packets, while HTTP with it's larger
syntax nearly always has quite big packets..

Another question: Would you be interested in contributing your code
changes? Others might be interested in this for statistics purposes.

Regards
Henrik

Received on Mon May 28 2007 - 14:20:51 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT