Re: [squid-users] SECURITY ALERT: Squid Cache: Version 3.2.0.13

Le vendredi 02 décembre 2011 à 01:12 +1300, Amos Jeffries a écrit :
> De:
> Amos Jeffries
> <squid3_at_treenet.co.nz>
> À:
> squid-users_at_squid-cache.org
> Sujet:
> Re: [squid-users] SECURITY ALERT:
> Squid Cache: Version 3.2.0.13
> Date:
> Fri, 02 Dec 2011 01:12:40 +1300
> (01/12/2011 13:12:40)
>
>
> On 1/12/2011 9:58 p.m., David Touzeau wrote:
> > Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
> >> On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote:
> >>> Dear
> >>>
> >>> I'm trying to make Squid Cache: Version 3.2.0.13-20111127-r11436
> on
> >>> transparent mode
> >>>
> >>> But squid refuse to access to some websites
> >>> for example google.* is ok
> >>>
> >>> but microsoft is impossible.
> >>>
> >>> How to fix this issue ?
> >> Track down the client software which is producing the requests.
> >>
> >>> On event :
> >>>
> >>
> >> ... missing log line...
> >>
> >>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user
> agent:
> >>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> >>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> >>> 3.0.4506.2152; .NET CLR 3.5.30729)
> >>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
> >>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >> ... missing log line...
> >>
> >>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user
> agent:
> >>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> >>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> >>> 3.0.4506.2152; .NET CLR 3.5.30729)
> >>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
> >>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >>
> >> Which brings us back to the question of where the key log line
> has
> >> disappeared to.
> >>
> >> The log line which says "Host header forgery from $C ($A does not
> match
> >> $B)"
> >>
> >> What those $ values are is important to how to fix it. $C is the
> >> connection details needed to isolate the machine to investigate.
> $A and
> >> $B the details which it is getting wrong.
> >>
> >> Amos
> >>
> >
> > I have made others tests
> >
> > HEre it is the dump.
> >
> > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > 3.0.4506.2152; .NET CLR 3.5.30729)
> > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> > http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg
> > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > 3.0.4506.2152; .NET CLR 3.5.30729)
>
> Hmm, same as the last lot. Lets take another approach.
>
> Start with checking the actual cache.log (usually
> /var/logs/squid/cache.log or /var/log/squid/cache.log). syslog is only
> a
> copy and an unreliable one it appears.
>
> If you dont have a cache.log you will need to configure one to be
> written.
>
> If you are still getting useless data out of the cache.log you can
> try
> setting "debug_options 11,2" for a short period. This dumps the
> entire
> HTTP headers in both directions coming AND going from Squid. Which
> can
> be a lot of data if you have a high level of traffic. What we look
> for
> in that load is the "HTTP Client Request" and TCP details with same
> URL
> and User-Agent that are showing up in your alerts.
>
> Amos

Here it is the log in debug mode :

----------
2011/12/01 17:49:14.106 kid1| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1074 FD 30 flags=33
2011/12/01 17:49:14.106 kid1| HTTP Client REQUEST:
---------
GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com
Connection: Keep-Alive

----------
2011/12/01 17:49:14.106 kid1| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1074 FD 30 flags=33
2011/12/01 17:49:14.106 kid1| HTTP Client REPLY:
---------
HTTP/1.1 409 Conflict
Server: squid/3.2.0.13-20111127-r11436
Mime-Version: 1.0
Date: Thu, 01 Dec 2011 16:49:14 GMT
Content-Type: text/html
Content-Length: 4184
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxyweb
X-Cache-Lookup: NONE from proxyweb:3129
Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436)
Connection: keep-alive

----------
2011/12/01 17:49:14.128 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1075 FD 33 flags=33
2011/12/01 17:49:14.128 kid2| HTTP Client REQUEST:
---------
HEAD /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com
Connection: Keep-Alive

----------
2011/12/01 17:49:14.128 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1075 FD 33 flags=33
2011/12/01 17:49:14.128 kid2| HTTP Client REPLY:
---------
HTTP/1.1 409 Conflict
Server: squid/3.2.0.13-20111127-r11436
Mime-Version: 1.0
Date: Thu, 01 Dec 2011 16:49:14 GMT
Content-Type: text/html
Content-Length: 4186
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxyweb
X-Cache-Lookup: NONE from proxyweb:3129
Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436)
Connection: keep-alive

----------
2011/12/01 17:49:14.133 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1075 FD 33 flags=33
2011/12/01 17:49:14.133 kid2| HTTP Client REQUEST:
---------
GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com
Connection: Keep-Alive

----------
2011/12/01 17:49:14.133 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1075 FD 33 flags=33
2011/12/01 17:49:14.133 kid2| HTTP Client REPLY:
---------
HTTP/1.1 409 Conflict
Server: squid/3.2.0.13-20111127-r11436
Mime-Version: 1.0
Date: Thu, 01 Dec 2011 16:49:14 GMT
Content-Type: text/html
Content-Length: 4184
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxyweb
X-Cache-Lookup: NONE from proxyweb:3129
Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436)
Connection: keep-alive

----------
2011/12/01 17:49:14.150 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1076 FD 33 flags=33
2011/12/01 17:49:14.150 kid2| HTTP Client REQUEST:
---------
HEAD /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com
Connection: Keep-Alive

----------
2011/12/01 17:49:14.150 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1076 FD 33 flags=33
2011/12/01 17:49:14.150 kid2| HTTP Client REPLY:
---------
HTTP/1.1 409 Conflict
Server: squid/3.2.0.13-20111127-r11436
Mime-Version: 1.0
Date: Thu, 01 Dec 2011 16:49:14 GMT
Content-Type: text/html
Content-Length: 4186
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxyweb
X-Cache-Lookup: NONE from proxyweb:3129
Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436)
Connection: keep-alive

----------
2011/12/01 17:49:14.155 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1076 FD 33 flags=33
2011/12/01 17:49:14.155 kid2| HTTP Client REQUEST:
---------
GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com
Connection: Keep-Alive

----------
2011/12/01 17:49:14.155 kid2| HTTP Client local=4.26.235.254:80
remote=192.168.1.228:1076 FD 33 flags=33
2011/12/01 17:49:14.155 kid2| HTTP Client REPLY:
---------
HTTP/1.1 409 Conflict
Server: squid/3.2.0.13-20111127-r11436
Mime-Version: 1.0
Date: Thu, 01 Dec 2011 16:49:14 GMT
Content-Type: text/html
Content-Length: 4184
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from proxyweb
X-Cache-Lookup: NONE from proxyweb:3129
Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436)
Connection: keep-alive
Received on Thu Dec 01 2011 - 16:50:03 MST