> Ed, are you sure your management doesn't mean SNORT? I think that's > what your looking for. It's a pretty good IDS system. Squid's pretty > serial in nature... What goes in must come out kind of thing. SNORT > sits on your backbone and passively monitors/records traffic. > Dave Hi Dave. Nope, they really meant Squid. They don't want it any other way. Edward > > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Tuesday, April 17, 2007 3:11 PM > To: list@xxxxxxxxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx > Subject: Re: Squid and Mirrored Router Ports > > > Edward C. Jakosalem wrote: >>> Hi, >>> >>> Edward C. Jakosalem wrote: >>>>> tis 2007-04-17 klockan 20:55 +1000 skrev Edward C. Jakosalem: >>>>> >>>>>> I have posted this same problem before but I want to post it again > >>>>>> because I am pressured to make this work with Squid. I know that >>>>>> Squid's use is >>>>>> either an accelerator or proxy or both. But we want Squid to > _only_ >>>>>> capture web traffic and log them, that's all. As such, I have >>>>>> configured >>>>>> my server to act as transparent proxy. >>>>> I don't quite get what you are trying to do here.. Do you want >>>>> Squid to act as a transparent proxy by intercepting port 80 traffic > >>>>> and have it redirected to Squid, or do you just want to audit the >>>>> port 80 traffic without actually touching the packets by just >>>>> listening on a switch mirror/monitor port? >>>> I actully just need squid to act as transparent proxy so I can log >>>> traffic. I don't care how squid will do this, I just need the logs. >>>> And the reason why we use the mirrored port is that we don't want >>>> browsing affected in case this server goes down. >>> So you want Squid to be in the path but don't want it to affect >>> anything if it goes down? That can't be done, unless you can use >>> WCCP to ignore it if it's down. Never played with WCCP so I don't >>> know if it's possible. I've always 'done the right thing' and told >>> my browsers about the proxy! >>> >>> >>>>> The first can be done by Squid, and any of the interception methods > >>>>> will work. WCCP, Policy routing etc.. >>>>> >>>>> The second is not a job for Squid. You need a packet >>>>> analyzer/auditor for this. There is quite many different ones >>>>> depending on what you are looking for.. >>>> We specifically need the Squid log format that's why we want to make > >>>> this work with squid. My boss doesn't want it any other way. :-( >>> Why must he have Squid format logs? What's his business reason for >>> having to have them in that format? >> >> I honestly don't know. But the aim is to have a record of our >> customers' browsing activities and retain the logs for 6 months. >> >>> Squid is probably the wrong tool for the job and won't work how >>> you've got it set up now so why not look around at other tools that >>> are designed for the job? >> >> I already did and told him that. I actually have a program called >> _packit_ up and running. I also found some other useful ones as well. >> But management said Squid can do it and if I can't make it to work, >> they will seek help from someone who knows how to. Hey, what's a lowly > >> employee like me to do? :-( > > Well, it seems to have come down to who you trust to know more about the > > software: the people who wrote it, or your managers and whoever gave > them the idea that squid was capable. > > Without knowing who yoru management are or their experience levels I am > thinking at this point that I have heard this story before. It sounds > like your management are not technical people and have been told by a > contact elsewhere that another business use squid to 'record logs of all > > our customers activities' then jumped to conclusions. > > Squid _can_ sit between your clients and the web and do it. But it does > need to be in the actual traffic path. > > SO, you can take a proposal to your management (maybe with costings) for > > a robust set of squid cache(s) to be your gateway to the net, you are in > > the best position to know what is needed for your company given that > 'cannot fail' requirement you mentioned earlier. > > OR, I'm sure between us all we can work up a suitable large quote for > the work it would take a developer to make squid capable of sitting on a > > mirror port. (I'll start the bidding randomly at a nice round $500k and > see where that goes if you like ;-). > > OR, you can go back to your management with our (developers and expert > users) support for the argument that squid cannot do it in any known > version and get them to supply the source of their 'it can' information > to help you do it. As as side if they actually come up with a source > we'd like to know who's doing it. > > > Amos > >
