Quoting Henrik Nordstrom <hno@squid-cache.org>:
>
>
> On Wed, 20 Oct 2004, oke wrote:
>
> > Can you tell me which pattern to grep to checkout existence of virus
> > or spyware?
>
> A common sign is lots of request for random IP addresses, or very high
> failure ratio (TCP_MISS/5XX or TCP_MISS/404)
>
> Regards
> Henrik
>
And also , look for many :
TCP_DENIED/407 : software unable to authenticate (if you use authentication)
TCP_DENIED/400 : misconfigured automatic sofware trying to access wrong URL's
for example :
407 : a widespread PDF reader v6.0.0 (corrected in v6.0.1)
400 : misconfigured yahoo toolbar accessing companion site with ";" in the URL
awk '$4 ~ /TCP_DENIED\/400/' /usr/local/squid/logs/access.log
Andrew.
Received on Wed Oct 20 2004 - 04:31:40 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST