ons 2003-02-12 klockan 12.40 skrev Gavin Hamill:
> Actually, do the squid logs contain how much time elapsed during the CONNECT?
Yes. The duration column shows how long the connection was held open.
(squid native access.log format only)
Note: In some conditions fully valid https:// traffic may keep a
connection open for extended period of time if there is periodic traffic
more frequently than the persistent connections timeout in the browser
and/or server, for example if a user has a automatically refreshing
window open with a https://... URL such as a a stock rates display or
similar..
> Microsoft ISA would probably implement this as a 'Tunnel Stealth Mode'
> integrated into the main application, but I don't believe it's desirable for
> squid to perform this task in itself, hence the suggestion of monitoring the
> log files.
Using SNORT or other IDS applications is probably a good idea. Not at
all hard to set up a filter to detect when someone is running SSH over
port 443... just look for the SSH signature in response to a connection
to port 443.
-- Henrik Nordstrom <hno@squid-cache.org> MARA Systems AB, SwedenReceived on Wed Feb 12 2003 - 09:36:39 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:21 MST