Le vendredi 02 décembre 2011 à 01:12 +1300, Amos Jeffries a écrit : > De: > Amos Jeffries > <squid3@xxxxxxxxxxxxx> > À: > squid-users@xxxxxxxxxxxxxxx > Sujet: > Re: SECURITY ALERT: > Squid Cache: Version 3.2.0.13 > Date: > Fri, 02 Dec 2011 01:12:40 +1300 > (01/12/2011 13:12:40) > > > On 1/12/2011 9:58 p.m., David Touzeau wrote: > > Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit : > >> On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote: > >>> Dear > >>> > >>> I'm trying to make Squid Cache: Version 3.2.0.13-20111127-r11436 > on > >>> transparent mode > >>> > >>> But squid refuse to access to some websites > >>> for example google.* is ok > >>> > >>> but microsoft is impossible. > >>> > >>> How to fix this issue ? > >> Track down the client software which is producing the requests. > >> > >>> On event : > >>> > >> > >> ... missing log line... > >> > >>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user > agent: > >>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > >>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR > >>> 3.0.4506.2152; .NET CLR 3.5.30729) > >>> Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL: > >>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome > >> ... missing log line... > >> > >>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user > agent: > >>> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > >>> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR > >>> 3.0.4506.2152; .NET CLR 3.5.30729) > >>> Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL: > >>> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome > >> > >> Which brings us back to the question of where the key log line > has > >> disappeared to. > >> > >> The log line which says "Host header forgery from $C ($A does not > match > >> $B)" > >> > >> What those $ values are is important to how to fix it. $C is the > >> connection details needed to isolate the machine to investigate. > $A and > >> $B the details which it is getting wrong. > >> > >> Amos > >> > > > > I have made others tests > > > > HEre it is the dump. > > > > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent: > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR > > 3.0.4506.2152; .NET CLR 3.5.30729) > > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL: > > http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg > > Dec 1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent: > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR > > 3.0.4506.2152; .NET CLR 3.5.30729) > > Hmm, same as the last lot. Lets take another approach. > > Start with checking the actual cache.log (usually > /var/logs/squid/cache.log or /var/log/squid/cache.log). syslog is only > a > copy and an unreliable one it appears. > > If you dont have a cache.log you will need to configure one to be > written. > > If you are still getting useless data out of the cache.log you can > try > setting "debug_options 11,2" for a short period. This dumps the > entire > HTTP headers in both directions coming AND going from Squid. Which > can > be a lot of data if you have a high level of traffic. What we look > for > in that load is the "HTTP Client Request" and TCP details with same > URL > and User-Agent that are showing up in your alerts. > > Amos Here it is the log in debug mode : ---------- 2011/12/01 17:49:14.106 kid1| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1074 FD 30 flags=33 2011/12/01 17:49:14.106 kid1| HTTP Client REQUEST: --------- GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1 Accept: */* User-Agent: Windows-Update-Agent Host: download.windowsupdate.com Connection: Keep-Alive ---------- 2011/12/01 17:49:14.106 kid1| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1074 FD 30 flags=33 2011/12/01 17:49:14.106 kid1| HTTP Client REPLY: --------- HTTP/1.1 409 Conflict Server: squid/3.2.0.13-20111127-r11436 Mime-Version: 1.0 Date: Thu, 01 Dec 2011 16:49:14 GMT Content-Type: text/html Content-Length: 4184 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from proxyweb X-Cache-Lookup: NONE from proxyweb:3129 Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436) Connection: keep-alive ---------- 2011/12/01 17:49:14.128 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1075 FD 33 flags=33 2011/12/01 17:49:14.128 kid2| HTTP Client REQUEST: --------- HEAD /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1 Accept: */* User-Agent: Windows-Update-Agent Host: download.windowsupdate.com Connection: Keep-Alive ---------- 2011/12/01 17:49:14.128 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1075 FD 33 flags=33 2011/12/01 17:49:14.128 kid2| HTTP Client REPLY: --------- HTTP/1.1 409 Conflict Server: squid/3.2.0.13-20111127-r11436 Mime-Version: 1.0 Date: Thu, 01 Dec 2011 16:49:14 GMT Content-Type: text/html Content-Length: 4186 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from proxyweb X-Cache-Lookup: NONE from proxyweb:3129 Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436) Connection: keep-alive ---------- 2011/12/01 17:49:14.133 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1075 FD 33 flags=33 2011/12/01 17:49:14.133 kid2| HTTP Client REQUEST: --------- GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1 Accept: */* User-Agent: Windows-Update-Agent Host: download.windowsupdate.com Connection: Keep-Alive ---------- 2011/12/01 17:49:14.133 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1075 FD 33 flags=33 2011/12/01 17:49:14.133 kid2| HTTP Client REPLY: --------- HTTP/1.1 409 Conflict Server: squid/3.2.0.13-20111127-r11436 Mime-Version: 1.0 Date: Thu, 01 Dec 2011 16:49:14 GMT Content-Type: text/html Content-Length: 4184 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from proxyweb X-Cache-Lookup: NONE from proxyweb:3129 Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436) Connection: keep-alive ---------- 2011/12/01 17:49:14.150 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1076 FD 33 flags=33 2011/12/01 17:49:14.150 kid2| HTTP Client REQUEST: --------- HEAD /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1 Accept: */* User-Agent: Windows-Update-Agent Host: download.windowsupdate.com Connection: Keep-Alive ---------- 2011/12/01 17:49:14.150 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1076 FD 33 flags=33 2011/12/01 17:49:14.150 kid2| HTTP Client REPLY: --------- HTTP/1.1 409 Conflict Server: squid/3.2.0.13-20111127-r11436 Mime-Version: 1.0 Date: Thu, 01 Dec 2011 16:49:14 GMT Content-Type: text/html Content-Length: 4186 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from proxyweb X-Cache-Lookup: NONE from proxyweb:3129 Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436) Connection: keep-alive ---------- 2011/12/01 17:49:14.155 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1076 FD 33 flags=33 2011/12/01 17:49:14.155 kid2| HTTP Client REQUEST: --------- GET /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?1112011649 HTTP/1.1 Accept: */* User-Agent: Windows-Update-Agent Host: download.windowsupdate.com Connection: Keep-Alive ---------- 2011/12/01 17:49:14.155 kid2| HTTP Client local=4.26.235.254:80 remote=192.168.1.228:1076 FD 33 flags=33 2011/12/01 17:49:14.155 kid2| HTTP Client REPLY: --------- HTTP/1.1 409 Conflict Server: squid/3.2.0.13-20111127-r11436 Mime-Version: 1.0 Date: Thu, 01 Dec 2011 16:49:14 GMT Content-Type: text/html Content-Length: 4184 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from proxyweb X-Cache-Lookup: NONE from proxyweb:3129 Via: 1.1 proxyweb (squid/3.2.0.13-20111127-r11436) Connection: keep-alive
