[squid-users] problem with urlpath_regex

From: Alexander Chelidze <chelidze@dont-contact.us>
Date: Wed, 8 Aug 2001 17:34:30 +0500

HI,

I have squid2.4.stable1, installed on linux6.2.
few days ago I noticed that time to time squid hanged, it did not open
connections to 8080.acl CodeRed urlpath_regex \/deacl CodeRed urlpath_regex \/default\.ida\?
http_access deny CodeRed
fault\.ida\?
http_access deny CodeRed

I examined logs, and using netstat detected lot of connects to 8080.
It was one user's IIS virus - 'Code Red', which sended requests to other
www-s.(I use transparency fot http). so it hanged my proxy.

The requests were of type:

997098888.366 145 INFECTED_MACHINE_IP NONE/411 1559 GET http://111.54.151.163/default.ida? - NONE/- -
997103647.734 129 INFECTED_MACHINE_IP NONE/411 1592 GET http://www.worm.com/default.ida? - NONE/- -

destination of most of them was www.worm.com , but also there were ip addresses
from 192 and 111 classes.

I desided to use next access list:
acl CodeRed urlpath_regex \/default\.ida\?
http_access deny CodeRed

So it works when I send request which contains "/default.ida?" text ,
and entries in log were:
997251176.495 3 MY_IP TCP_DENIED/403 1040 GET http://Some-domain/default.ida? - NONE/- -
of this type.

but today
I discovered non-blocked entries (with code NONE/411) in my access.log .
997213182.091 57 INFECTED_MACHINE_IP NONE/411 1559 GET http://217.106.234.17/default.ida? - NONE/- -

what can be the reason of this?
Received on Wed Aug 08 2001 - 01:39:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST