Re: AW: [squid-users] Bypassing Squid for local address destination

From: <[email protected]>
Date: Wed, 20 Oct 2004 12:31:34 +0200

Quoting Henrik Nordstrom <hno@squid-cache.org>:

>
>
> On Wed, 20 Oct 2004, oke wrote:
>
> > Can you tell me which pattern to grep to checkout existence of virus
> > or spyware?
>
> A common sign is lots of request for random IP addresses, or very high
> failure ratio (TCP_MISS/5XX or TCP_MISS/404)
>
> Regards
> Henrik
>

And also , look for many :
 TCP_DENIED/407 : software unable to authenticate (if you use authentication)
 TCP_DENIED/400 : misconfigured automatic sofware trying to access wrong URL's

for example :
407 : a widespread PDF reader v6.0.0 (corrected in v6.0.1)
400 : misconfigured yahoo toolbar accessing companion site with ";" in the URL

awk '$4 ~ /TCP_DENIED\/400/' /usr/local/squid/logs/access.log

Andrew.
Received on Wed Oct 20 2004 - 04:31:40 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST