[squid-users] Squid rules analyser

From: Alberto Cappadonia <alberto.cappadonia_at_polito.it>
Date: Tue, 16 Jun 2009 16:14:27 +0200

Dear squid users,

we are developing a Java-based tool to analyse content filtering rules
(acl, http_access,...) for squid.

The objective is to provide administrators with a tool able to help them
in identifying potential mistakes in the squid configuration.

More in detail, the aims are:
- identifying conflicts and anomalies in squid configuration file
- presenting anomalies to the administrators for further decisions
(e.g., mistakenly empty rules, acl intersection areas, hidden rules)
- optimising rules by removing redundant or shadowed rules

The conflict model is the geometric/algebraic one presented in this paper:
http://security.polito.it/doc/pub_r/policy2008.pdf

The tool fully supports basic set operations for all the acl types in
squid v3.0 (IP addresses, ports, proto and all the ones based on regular
expressions, ...).

The workflow of the tool is briefly:
- read and parse squid.conf for content filtering rules (internal
geometric rule representation)
- analyse rules for potential conflicts and anomalies
- interact with the administrators
- export the optimised and anomaly-free squid.conf

We finished the conflict detector and resolver engine, the parser and we
are improving the GUI for reporting the anomalies to administrators. We
guess we will have the beta version in a couple of week.

We will be glad if you can give your opinion about the tool (especially
about improvement and integrations) in order to make it as effective as
possible. For this, if there is some developer/administrator that is
interested in using/testing it (or at least providing us with a few real
configuration files) it will be very useful.

Regards,
Cataldo Basile
Alberto Cappadonia

Received on Tue Jun 16 2009 - 14:34:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT