On Wed, 30 Nov 2011, David Touzeau wrote:
> Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
>>
>> ... missing log line...
>>
>>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user agent:
>>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
>>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
>>> 3.0.4506.2152; .NET CLR 3.5.30729)
>>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
>>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>>
>> ... missing log line...
>>
>>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user agent:
>>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
>>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
>>> 3.0.4506.2152; .NET CLR 3.5.30729)
>>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
>>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
>>
>>
>> Which brings us back to the question of where the key log line has
>> disappeared to.
>>
>> The log line which says "Host header forgery from $C ($A does not match
>> $B)"
>>
>> What those $ values are is important to how to fix it. $C is the
>> connection details needed to isolate the machine to investigate. $A and
>> $B the details which it is getting wrong.
>
> But
> This only events that i can see:
>
> ~# cat /var/log/syslog |grep -E "squid\[[0-9]+"|tail -n 500
>
> Can i do something more ?
grep '^Nov 29 22:18:5' /var/log/syslog
then look for the log lines Amos needs.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin_at_impsec.org FALaholic #11174 pgpk -a jhardin_at_impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r ----------------------------------------------------------------------- 26 days until ChristmasReceived on Tue Nov 29 2011 - 23:55:13 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 30 2011 - 12:00:03 MST