On Wed, 30 Nov 2011, David Touzeau wrote:
Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
... missing log line...
Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
... missing log line...
Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Which brings us back to the question of where the key log line has
disappeared to.
The log line which says "Host header forgery from $C ($A does not match
$B)"
What those $ values are is important to how to fix it. $C is the
connection details needed to isolate the machine to investigate. $A and
$B the details which it is getting wrong.
But
This only events that i can see:
~# cat /var/log/syslog |grep -E "squid\[[0-9]+"|tail -n 500
Can i do something more ?
grep '^Nov 29 22:18:5' /var/log/syslog
then look for the log lines Amos needs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@xxxxxxxxxx FALaholic #11174 pgpk -a jhardin@xxxxxxxxxx
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
26 days until Christmas
