On 18/06/11 01:26, Chris Knipe wrote:
Hi All,
We have a fairly sized transparent proxy (squid 3.1.12) running around
1k requests per minute. Every now and again, for some seemingly
random host to some seemingly random site, squid would log a few
requests completely garbled. After a second or two, the requests are
logged in plain text as normal...
A sample of a "garbled" log entry is given below. This naturally
causes havoc web log file analyzers such as calamaris...
1308301729.706 20 host.name TCP_MISS/400 69453 ^S<B5>
http://196.43.208.18:3128/+%D4%B0%7C%84%D6 - DIRECT/196.43.208.18
text/html
Any advice?
Would "Don't do transparent proxy" work?
You are going to get garbage. It just comes with the territory.
That request at least appears to be one of the nicer pieces of software
abusing port 80. Its passing a URL over. The other end is rejecting the
relay. Maybe it doesn't like its binary crap being upgrade to HTTP/1.1
ASCII :).
Could be some innocent user playing with some software that uses port 80
because it is not firewalled to the hilt. Or it could be an attack
underway using you as a relay. Or it could be an infection trying to
spread. You will only know by further investigation of the client
"host.name".
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.8 and 3.1.12.2
