FYI With a modified squid (at the source Henrik pointed to) I get Outgoing ssh (only command was ls and then exit) 1180183741.678 6328 127.0.0.1 TCP_MISS/200 7432 5036 2396 CONNECT opensuse.suse.home:22 - DIRECT/192.168.1.7 - 5036 = Bytes written to client (Inbound) 2396 = Bytes written to server (Outbound) Ratio 2.10 like normal surfing which has a ratio > 1 The same as above only tunneled via stunnel to have real SSL connection 1180188642.907 7747 192.168.1.7 TCP_MISS/200 13380 9102 4278 CONNECT opensuse.suse.home:443 - DIRECT/192.168.1.7 - 9102 = Bytes written to client (Inbound) 4278 = Bytes written to server (Outbound) Ratio 2.13 like normal surfing which has a ratio > 1 Normal HTTPS traffic looks like: 1180183683.128 405 192.168.1.10 TCP_MISS/200 11177 9824 1353 CONNECT www.hsbc.co.uk:443 - DIRECT/193.108.74.209 - 1180183683.197 468 192.168.1.10 TCP_MISS/200 7561 6197 1364 CONNECT www.hsbc.co.uk:443 - DIRECT/193.108.74.209 - Ratio 7.26 and 4.54 Outgoing ssh with remote port forwarding and incoming ssh connection (only command was ls and then exit). THIS IS A MISUSE EXAMPLE 1180183763.638 13448 127.0.0.1 TCP_MISS/200 15352 6076 9276 CONNECT opensuse.suse.home:22 - DIRECT/192.168.1.7 - 6076 = Bytes written to client (Inbound) 9276 = Bytes written to server (Outbound) Ratio 0.655 As expected a ratio < 1 The same as above only tunneled via stunnel to have real SSL connection 1180188667.142 16940 192.168.1.7 TCP_MISS/200 22664 8863 13801 CONNECT opensuse.suse.home:443 - DIRECT/192.168.1.7 - 8863 = Bytes written to client (Inbound) 13801 = Bytes written to server (Outbound) Ratio 0.642 As expected a ratio < 1 So it looks like it could help determining malicious use of proxies even if only few shell commands are executed. Regards Markus "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message news:1179951639.31121.71.camel@xxxxxxxxxxxxxxxxxxxxxx >ons 2007-05-23 klockan 19:25 +0100 skrev Markus Moeller: > >> >Squid only keeps a single total counter for CONNECT requests. To get >> >them split you need to extend the code to keep two counters. >> >> Do you have a pointer where in the code I have to look for it ? > >There is a couple of different places.. > >The CONNECT traffic is all processed in ssl.c. The counter is updated in >sslWriteClient & sslWriteServer. > > *sslState->size_ptr += len; > >This size_ptr is given to ssl.c as part of the sslStart() call from >client_side.c. > >Finally client_size.c also hands the counters down to the access logging >code in the call to accessLogLog(). > >Regards >Henrik
