On 21/12/2013 9:51 a.m., Dr.x wrote: > > hi , > > i have this logs and wondering if it is harmful : > im ==>>using squid 3.3.9 > Squid Cache: Version 3.3.9 > ========================================================================== > 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: Host header forgery detected > on local=10.10.0.50:80 remote=x.x.x.x FD 573 flags=17 (local IP does not > match any domain IP) > 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: By user agent: > 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: on URL: > client9.dropbox.com:443 > 2013/12/20 15:41:00.747 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x > FD 573 flags=17 > kid1| SECURITY ALERT: Host header forgery detected on local=10.10.0.50:80 > remote=x.x.x.x FD 163 flags=17 (local IP does not match any domain IP) > 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: By user agent: > 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: on URL: d.dropbox.com:443 > 2013/12/20 15:41:29.611 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x > FD 163 flags=17 > =========================================================================== > > wish to clarify if it is harmfull log Well, that varies. This is demonstrating a client browser being told it is connecting to :443 (HTTPS secure connection) which is actually being sent over port 80 to 10.10.0.50. For the URL to appear like that without http:// or https:// and path pieces it is most likely a CONNECT request being sent over port 80 to an explicit proxy. Your MITM has just screwed that up by either terminating the bad behaviour, or making it a CONNECT request directly to 10.10.0.50:80 which will fail at the SSL handshake which follows. Amos
