Re: SECURITY ALERT: Squid Cache: Version 3.2.0.13

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 1/12/2011 9:58 p.m., David Touzeau wrote:
> Le mercredi 30 novembre 2011 à 11:14 +1300, Amos Jeffries a écrit :
> > On Tue, 29 Nov 2011 22:48:39 +0100, David Touzeau wrote:
> > > Dear
> > >
> > > I'm trying to make  Squid Cache: Version 3.2.0.13-20111127-r11436 on
> > > transparent mode
> > >
> > > But squid refuse to access to some websites
> > > for example google.* is ok
> > >
> > > but microsoft is impossible.
> > >
> > > How to fix this issue ?
> >   Track down the client software which is producing the requests.
> >
> > > On event :
> >
> >   ... missing log line...
> >
> > > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: By user agent:
> > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > > 3.0.4506.2152; .NET CLR 3.5.30729)
> > > Nov 29 22:18:57 squid2 squid[11257]: SECURITY ALERT: on URL:
> > > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >   ... missing log line...
> >
> > > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: By user agent:
> > > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> > > InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> > > 3.0.4506.2152; .NET CLR 3.5.30729)
> > > Nov 29 22:18:59 squid2 squid[11257]: SECURITY ALERT: on URL:
> > > http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
> >
> >   Which brings us back to the question of where the key log line has
> >   disappeared to.
> >
> >   The log line which says "Host header forgery from $C ($A does not match
> >   $B)"
> >
> >   What those $ values are is important to how to fix it. $C is the
> >   connection details needed to isolate the machine to investigate. $A and
> >   $B the details which it is getting wrong.
> >
> >   Amos
>
> I have made others tests
>
> HEre it is the dump.
>
> Dec  1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)
> Dec  1 09:56:22 squid2 squid[28798]: SECURITY ALERT: on URL:
> http://db2.stb00.s-msn.com/i/42/72A83D0D39814D13CA15F184E71D2.jpg
> Dec  1 09:56:22 squid2 squid[28798]: SECURITY ALERT: By user agent:
> Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
> InfoPath.2; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR
> 3.0.4506.2152; .NET CLR 3.5.30729)

Hmm, same as the last lot. Lets take another approach.

Start with checking the actual cache.log (usually 
/var/logs/squid/cache.log or /var/log/squid/cache.log). syslog is only a 
copy and an unreliable one it appears.

If you dont have a cache.log you will need to configure one to be written.

If you are still getting useless data out of the cache.log you can try 
setting "debug_options 11,2" for a short period. This dumps the entire 
HTTP headers in both directions coming AND going from Squid. Which can 
be a lot of data if you have a high level of traffic. What we look for 
in that load is the "HTTP Client Request" and TCP details with same URL 
and User-Agent that are showing up in your alerts.

Amos