[squid-users] Re: Squid log details - HTTPS tunnel detection

FYI

With a modified squid (at the source Henrik pointed to) I get

Outgoing ssh (only command was ls and then exit)

1180183741.678 6328 127.0.0.1 TCP_MISS/200 7432 5036 2396 CONNECT
opensuse.suse.home:22 - DIRECT/192.168.1.7 -

5036 = Bytes written to client (Inbound)
2396 = Bytes written to server (Outbound)

Ratio 2.10 like normal surfing which has a ratio > 1

The same as above only tunneled via stunnel to have real SSL connection
1180188642.907 7747 192.168.1.7 TCP_MISS/200 13380 9102 4278 CONNECT
opensuse.suse.home:443 - DIRECT/192.168.1.7 -

9102 = Bytes written to client (Inbound)
4278 = Bytes written to server (Outbound)

Ratio 2.13 like normal surfing which has a ratio > 1

Normal HTTPS traffic looks like:

 1180183683.128 405 192.168.1.10 TCP_MISS/200 11177 9824 1353 CONNECT
www.hsbc.co.uk:443 - DIRECT/193.108.74.209 -
 1180183683.197 468 192.168.1.10 TCP_MISS/200 7561 6197 1364 CONNECT
www.hsbc.co.uk:443 - DIRECT/193.108.74.209 -

Ratio 7.26 and 4.54

Outgoing ssh with remote port forwarding and incoming ssh connection (only
command was ls and then exit). THIS IS A MISUSE EXAMPLE

1180183763.638 13448 127.0.0.1 TCP_MISS/200 15352 6076 9276 CONNECT
opensuse.suse.home:22 - DIRECT/192.168.1.7 -

6076 = Bytes written to client (Inbound)
9276 = Bytes written to server (Outbound)

Ratio 0.655

As expected a ratio < 1

The same as above only tunneled via stunnel to have real SSL connection
 1180188667.142 16940 192.168.1.7 TCP_MISS/200 22664 8863 13801 CONNECT
opensuse.suse.home:443 - DIRECT/192.168.1.7 -

8863 = Bytes written to client (Inbound)
13801 = Bytes written to server (Outbound)

Ratio 0.642

As expected a ratio < 1

So it looks like it could help determining malicious use of proxies even if
only few shell commands are executed.

Regards
Markus

"Henrik Nordstrom" <henrik@henriknordstrom.net> wrote in message
news:1179951639.31121.71.camel@henriknordstrom.net...
>ons 2007-05-23 klockan 19:25 +0100 skrev Markus Moeller:
>
>> >Squid only keeps a single total counter for CONNECT requests. To get
>> >them split you need to extend the code to keep two counters.
>>
>> Do you have a pointer where in the code I have to look for it ?
>
>There is a couple of different places..
>
>The CONNECT traffic is all processed in ssl.c. The counter is updated in
>sslWriteClient & sslWriteServer.
>
> *sslState->size_ptr += len;
>
>This size_ptr is given to ssl.c as part of the sslStart() call from
>client_side.c.
>
>Finally client_size.c also hands the counters down to the access logging
>code in the call to accessLogLog().
>
>Regards
>Henrik
Received on Mon May 28 2007 - 07:51:23 MDT