Re: Blocking web-based proxy traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Tagg McDonald <taggm@xxxxxxxxx>:




Interesting idea.  I know that when I've captured this proxy traffic I see
in ASCII "http://"; and then whatever proxied site (usually myspace).  I was
thinking maybe a matchstring type thing?  Here's a snippet from an
access.log from a transparent squid proxy, using sureproxy hitting playboy:

10.1.1.191 - - [28/Nov/2007:12:49:26 -0700] "GET
http://www.sureproxy.com/nph-index.cgi/011110A/http/www.playboy.com/imx/fron
tpage/2008-calendars.jpg HTTP/1.1" 200 366
"http://www.sureproxy.com/nph-index.cgi/011110A/http/www.playboy.com/";
"Opera/9.24 (Macintosh; Intel Mac OS X; U; en)" TCP_MISS:DIRECT

Does my idea make sense or am I on crack :D

James


If you have a transparent squid proxy in place you can do ACL's and/or
use squidguard or dans guardian.

--
Tagg McDonald
Dutro Company
675 North 600 West
Logan, UT 84321
(435) 752-3921 x146

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Even with a proxy and filter in place, they can still circumvent using proxifier sites. I block them at my firewall using the drop in my preroute. I really dont care about the timeouts, if your going around the filter, your breaking policy. Even then its hard to stop. I cant use my transparent proxy for https, which a lot of the sites run. They will have http: and https: both of which connect to the same site. I have a list of close to 300 + sites I block at the firewall that I try to keep up to date, but new sites are out all the time. One thing I have found, is that snort rules help to detect when these things are happening. Their are some policy rules that are able to detect when some of these sites are accessed or when someone is trying to use them. In short, if anyone finds a way to block access to these sites 100% I would sure like to hear about it. Short of denying access to the entire internet except for those sites specifically allowed. 


--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"rarely do people communicate, they just take turns talking"

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux