RE: [squid-users] Squid 3.1.0.12 allowing MSN Messenger - 502

From: Daniel <Squid_at_ZoomEmail.com>
Date: Tue, 4 Aug 2009 12:16:55 -0400

Good afternoon,

        I'm making some real headway here and figured that I'd 'spam' the DL to let you guys know what's going on so far. I've done TCPDumps on the Squid server with -vvv & -s 0 to make sure that I'm capturing everything. Everything looked great, it's like a network/firewall issue. I came to realize that I have the same issue by going through our ISA server (bypassing the Firewall client). Upon contacting my network team we discovered that our Firewall is classifying the traffic as a WORM! I personally find that ridiculous but 'it is what it is'. I'm working on a solution to get around it and once we have it working I'll let everyone know if the chat information was correct to begin with or if any tweaks need to be made. I am fairly confident the whole issue is tied around the firewall.

Thanks to all who've answered.

Number: 552110
Date: 4Aug2009
Time: 11:59:27
Product: SmartDefense
Interface: eth0
Origin: cpfhdq01w
Type: Log
Action: Reject
Protocol: tcp
Service: http (80)
Source: SCLTHDQ01W (10.211.194.187)
Destination: 65.54.239.21
Source Port: 52082
Information: URL filter pattern detected: /gateway/gateway.dll
Attack: HTTP Worm Catcher
Attack Information: MSN Messenger Live 8

-Daniel

-----Original Message-----
From: Daniel [mailto:Squid_at_ZoomEmail.com]
Sent: Tuesday, August 04, 2009 8:39 AM
To: Squid-Users_at_Squid-Cache.org
Subject: RE: [squid-users] Squid 3.1.0.12 allowing MSN Messenger - 502 - WAIT!!

Crap Crap Crap!! Sorry guys I guess it's too early and I invalidated my test. It is *NOT* working as stated below... My utmost apologies.

Is there any trouble-shooting tips for this? I mean, how would I go about determining exactly where it's breaking?

Thanks!

============================================================================

Ok, I was able to get it working this morning. Perhaps someone can update the ConfigExample for Chat to include Windows Live Messenger?? Would someone please explain why what I did worked? To be honest I just decided to give it a shot and since I do not understand the ACL's yet I am confused.

All I did was add the following ACL:
acl msn1 req_mime_type application/x-msn-messenger

So I have two ACL's in regard to the mime type (and I question if I need the first one):
acl msn1 req_mime_type ^application/x-msn-messenger$
acl msn1 req_mime_type application/x-msn-messenger'

Any ideas of why this worked / what I was doing wrong??

-Daniel

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, August 03, 2009 7:30 PM
To: Daniel
Cc: Squid-Users_at_Squid-Cache.org
Subject: Re: [squid-users] Squid 3.1.0.12 allowing MSN Messenger - 502

On Mon, 3 Aug 2009 17:09:31 -0400, "Daniel" <Squid_at_ZoomEmail.com> wrote:
> Ok, I have been banging my head against a few issues so I'll start with
> this
> one.
>
> I read on http://wiki.squid-cache.org/ConfigExamples/Chat where I can
make
> MSN Messenger work through Squid. I am trying to allow MSN Messenger
(Live)
> to work through Squid. I believe the issue is around this 502 error... I
> don't know, completely stumped.

MSN Messenger is not he same as MSN Messenger Live.

They are very different programs with very different access needs despite
sharing some of the network servers and being able to talk to each other.

You can help both yourself and others by tracking down exactly what the
program is trying to do. From my own brief brush with Live, I recall it
doing some form or HTTPS or SSL encrypted link directly with the servers
before it was allowed to have any web contact the proxy could relay.

The best bet is to try to isolate the computer running Live and see what
connections its making, how and to where.

Amos

>
> My Squid.conf is the following & the access.log error message:
>
> ================ BEGIN squid.conf BEGIN ================
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl TestPoolIPs src 10.211.213.135 10.211.212.40
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl sclthdq01w src 10.211.194.187/32 # custom acl for apache/cache
> manager
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access allow manager sclthdq01w
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access allow localnet
> http_access allow localhost
> http_access allow TestPoolIPs
>
> # MSN Messenger
> acl msn urlpath_regex -i /gateway/gateway.dll
> acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
> acl msn1 req_mime_type ^application/x-msn-messenger$
> http_access allow msnd
> http_access allow msn
> http_access allow msn1
>
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> coredump_dir /usr/local/squid/var/cache
> cache_mem 512 MB
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> ================ END squid.conf END ================
>
> ================ BEGIN access.log snippet BEGIN ================
> 1249333460.877 167 10.211.212.40 TCP_MISS/502 4074 POST
> http://gateway.messenger.hotmail.com/gateway/gateway.dll? -
> DIRECT/65.54.239.21 text/html
> ================ END access.log snippet END ================
>
> I don't believe that this has anything to do with it now, but just as an
> FYI
> I tried to use another 'regex' command:
> acl msn url_regex -i gateway.dll
Received on Tue Aug 04 2009 - 16:17:18 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 05 2009 - 12:00:02 MDT