Search squid archive

Re: Squid + ICQ contest ;)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Here is two parallel blocks of data: sniffing session from proxy box, and the same time squid access.log entries: 

root @ cthulhu / # snoop 192.168.100.103|grep icq
Using device aggr1 (promiscuous mode)
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
root @ cthulhu / # snoop 192.168.100.103|grep icq
Using device aggr1 (promiscuous mode)
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP GET /aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG 
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0" encoding="UTF-8"?> 
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTP
1445936940.849 115 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445936940&sig_sha256=95jne2nFyXVx9y7Vli9%2BnI91T3XlJpzheD95S9hz1aE%3D - ORIGINAL_DST/178.237.23.232 text/xml 1445936991.001 118 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445936990&sig_sha256=MEhMMYwX%2F2lhxcax%2FmPT3ijCld4ONzCwRV4PqyyVYws%3D - ORIGINAL_DST/178.237.23.232 text/xml 1445937041.165 119 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937041&sig_sha256=iF6pBtDiE8xS1LnGo8telVdTkZE8CAZmegpHDuKfBO8%3D - ORIGINAL_DST/178.237.23.232 text/xml 1445937091.358 151 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937091&sig_sha256=SjJs4EefLVrqRX%2FXgW9zLsqzMyE0lF9Fi4OiCxdLynE%3D - ORIGINAL_DST/178.237.23.232 text/xml 1445937162.916 524 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937162&sig_sha256=ud53qDTKRJCe49ReARVd27GP26p8HFXqDQ2eRQl84i4%3D - ORIGINAL_DST/178.237.23.232 text/xml 1445937234.135 178 192.168.100.103 TCP_MISS/200 915 GET http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937233&sig_sha256=6vu4TvwMVs57kmRwuKJQ9SZ8Za9V6jlFUOlUsdg3sl4%3D - ORIGINAL_DST/178.237.23.232 text/xml
Note: Also ICQ uses non-visible sessions on transparent proxy box over port 5190 in parallel. 

27.10.15 3:14, Amos Jeffries пишет:

On 27/10/2015 9:36 a.m., Yuri Voinov wrote:

The problem is: I can't see most part of ICQ traffic. Because of it uses
non-HTTP/HTTPS/FTP ports. Only with sniffer.

Okay, that should not matter much. That part of the traffic there is
nothing we can do about in Squid.


Looks like this:

1. Login starts over 5190 port with CONNECT method. And normal squid's
config blocks it - this is non-SSL port.

Nod.


2. If we add this port to SSL_ports acl, connect starts via HTTP over
HTTPS port. Squid's prohibit it too. If we relax config (and make it
less secure!), login phase goes next step.

Pause, how does Squid prohibit that _exactly_ ?

Maybe somebody else can find a way to do it without loosing security.



3. And finally Squid got XML-answer via HTTP/HTTPS, which is visible by
squid, and at this moment client got "Login denied, check
login/password". Whenever right or wrong password.

Okay. That sounds a bit like it could be from something Squid is adding
(or not adding).

Actually seeing those request and reply messages here would help a lot.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux