RE: [squid-users] Squid and Mirrored Router Ports

> Ed, are you sure your management doesn't mean SNORT? I think that's
> what your looking for. It's a pretty good IDS system. Squid's pretty
> serial in nature... What goes in must come out kind of thing. SNORT
> sits on your backbone and passively monitors/records traffic.
> Dave

Hi Dave. Nope, they really meant Squid. They don't want it any other way.

Edward
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Tuesday, April 17, 2007 3:11 PM
> To: list@telpacific.com.au; squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid and Mirrored Router Ports
>
>
> Edward C. Jakosalem wrote:
>>> Hi,
>>>
>>> Edward C. Jakosalem wrote:
>>>>> tis 2007-04-17 klockan 20:55 +1000 skrev Edward C. Jakosalem:
>>>>>
>>>>>> I have posted this same problem before but I want to post it again
>
>>>>>> because I am pressured to make this work with Squid. I know that
>>>>>> Squid's use is
>>>>>> either an accelerator or proxy or both. But we want Squid to
> _only_
>>>>>> capture web traffic and log them, that's all. As such, I have
>>>>>> configured
>>>>>> my server to act as transparent proxy.
>>>>> I don't quite get what you are trying to do here.. Do you want
>>>>> Squid to act as a transparent proxy by intercepting port 80 traffic
>
>>>>> and have it redirected to Squid, or do you just want to audit the
>>>>> port 80 traffic without actually touching the packets by just
>>>>> listening on a switch mirror/monitor port?
>>>> I actully just need squid to act as transparent proxy so I can log
>>>> traffic. I don't care how squid will do this, I just need the logs.
>>>> And the reason why we use the mirrored port is that we don't want
>>>> browsing affected in case this server goes down.
>>> So you want Squid to be in the path but don't want it to affect
>>> anything if it goes down? That can't be done, unless you can use
>>> WCCP to ignore it if it's down. Never played with WCCP so I don't
>>> know if it's possible. I've always 'done the right thing' and told
>>> my browsers about the proxy!
>>>
>>>
>>>>> The first can be done by Squid, and any of the interception methods
>
>>>>> will work. WCCP, Policy routing etc..
>>>>>
>>>>> The second is not a job for Squid. You need a packet
>>>>> analyzer/auditor for this. There is quite many different ones
>>>>> depending on what you are looking for..
>>>> We specifically need the Squid log format that's why we want to make
>
>>>> this work with squid. My boss doesn't want it any other way. :-(
>>> Why must he have Squid format logs? What's his business reason for
>>> having to have them in that format?
>>
>> I honestly don't know. But the aim is to have a record of our
>> customers' browsing activities and retain the logs for 6 months.
>>
>>> Squid is probably the wrong tool for the job and won't work how
>>> you've got it set up now so why not look around at other tools that
>>> are designed for the job?
>>
>> I already did and told him that. I actually have a program called
>> _packit_ up and running. I also found some other useful ones as well.
>> But management said Squid can do it and if I can't make it to work,
>> they will seek help from someone who knows how to. Hey, what's a lowly
>
>> employee like me to do? :-(
>
> Well, it seems to have come down to who you trust to know more about the
>
> software: the people who wrote it, or your managers and whoever gave
> them the idea that squid was capable.
>
> Without knowing who yoru management are or their experience levels I am
> thinking at this point that I have heard this story before. It sounds
> like your management are not technical people and have been told by a
> contact elsewhere that another business use squid to 'record logs of all
>
> our customers activities' then jumped to conclusions.
>
> Squid _can_ sit between your clients and the web and do it. But it does
> need to be in the actual traffic path.
>
> SO, you can take a proposal to your management (maybe with costings) for
>
> a robust set of squid cache(s) to be your gateway to the net, you are in
>
> the best position to know what is needed for your company given that
> 'cannot fail' requirement you mentioned earlier.
>
> OR, I'm sure between us all we can work up a suitable large quote for
> the work it would take a developer to make squid capable of sitting on a
>
> mirror port. (I'll start the bidding randomly at a nice round $500k and
> see where that goes if you like ;-).
>
> OR, you can go back to your management with our (developers and expert
> users) support for the argument that squid cannot do it in any known
> version and get them to supply the source of their 'it can' information
> to help you do it. As as side if they actually come up with a source
> we'd like to know who's doing it.
>
>
> Amos
>
>
Received on Tue Apr 17 2007 - 17:45:31 MDT