This is something I too have been very interested in doing, however my
squid fu is quite weak :-(
Suggestions on how to do it, or a way to incorporate the logs from an
Astaro box to do the same things!
- Robert
(Arch3Angel)
On 6/23/11 6:57 AM, Ben Jackson wrote:
On Wed, Jun 22, 2011 at 6:54 PM, Jim Halfpenny<[email protected]> wrote:
On 22 June 2011 17:17, Michael Lubinski<[email protected]> wrote:
What methods were you using to analyze the proxy logs for out of the norm
behavior?
grep?
Pretty much. I had a script that took logs from our corporate proxy,
and extracted the URL, HTTP return code, and MIME type. From there it
took the MIME type and looked to see if it was some kind of executable
code, Java, or PDF, and if so, downloaded it. There were also some
behavioral tests it did. From there I had to manually classify it.
There was a good amount of false positives but my idea was to develop
a whitelist of hosts to ignore and after a while, I think it would
have given alerts on "abnormal" hosts.
I no longer have the script (Wrote it at $OLD_JOB's) however, if
someone gives me access to a Squid log, I can replicate it pretty
easily.
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
