"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message news:1179939625.31121.48.camel@xxxxxxxxxxxxxxxxxxxxxx >ons 2007-05-23 klockan 17:46 +0100 skrev Markus Moeller: >> Is it possible to log the bytes in and out of a connection made with the >> CONNECT method. ? I am looking at identifying users misusing the SSL >> connection as a "remote access" solution and was wondering if byte >> in/byte >> out ratios could be used to identify the misuse without decrypting the >> session. > >Squid only keeps a single total counter for CONNECT requests. To get >them split you need to extend the code to keep two counters. Do you have a pointer where in the code I have to look for it ? > >> Are there other known ways besides IP-address/hostname blacklisting to >> identify HTTPS tunnels ? > >Most isn't actually using SSL, so a IDS system looking for odd traffic >in CONNECT requests will trap many of them (but not all). Correct. But I am specifically interested in the bad guys which use SSL. > >Regards >Henrik Thank you Markus
