On Tue, 6 Sep 2005, Lasse [iso-8859-1] Mørk wrote:
Anyway. It could be interestering to know what to look for in the accesslog....
A I said in my last message:
What you should look out for is odd patterns in - Same client making very many requests to a given server - Long running CONNECT requests - CONNECT requests to odd ports (there is good reasons why the default config restricts CONNECT to a small set of well known ports only). And if you enable log_mime_hdrs these tunnelin agents sometimes can be identified by their request or response headers. If such identification can be done then you can make Squid access rules imposing a general ban of the use of that relay agent (at least until the agent is changed to use other request/response headers...)
Regards Henrik
