RE: [squid-users] False Web addresses, and how to handle them

From: Duane Wessels <wessels@dont-contact.us>
Date: Fri, 19 Dec 2003 10:48:31 -0700 (MST)

On Fri, 19 Dec 2003, Eric Geater 12/12/03 wrote:

> "There was an example acl for the purpose in the message sent by Duane."
>
> I didn't understand what I saw; that's what prompted my reply. I can
> put something in my ACLs, but I'd like to know the implications behind
> its structure. Something simple like gator.com is self-explanatory, but
> I just didn't understand what "acl UrlHasLogin urllogin ." and "acl
> SketchyLogin urllogin [^a-zA-Z0-9]" actually meant.
>
> I still don't understand the implication of a login or login character
> in this regard, because in my limited knowledge, "login" is what happens
> when you announce who you are to a system, and not a result in a URL.
> But I'm still learning, so it's just another mystery to uncover :-)

The URL structure has a login field. In practice it is rarely used.
Putting a username and/or password is very insecure, and is normally
discouraged.

Thus, you can almost conclude that if you see anything in the URL's login
field, it is suspicious.

The very simple regular expression "." matches any single character.
Thus, you can use an ACL like this:

   acl UrlHasLogin urllogin .

to detect any non-empty URL login field.

Then you can deny it with an http_access rule.

Now, you might actually have people using your cache and making URL
requests that contain a login field for some valid reason. If you don't
want to deny their requests, you can try to get smarter and make an
ACL that matches only suspicious login fields. To do that you need
to define some way to differentiate valid from suspicious login fields.
One way to do it is to define a set of characters that may, or may not,
appear in the valid or suspicious login strings. My example provides
a list of characters

    a-zA-Z0-9

that are typically found in a valid
login (username) field. Then I define an ACL that matches a character
NOT in that set:

   [^a-zA-Z0-9]

To really make this work, you would probably find it necessary to add
more characters to this list (if you have users sending requests with
valid login data).

If you find this syntax confusing, you need to read up on regular expressions.
They are pretty cool.

Duane W.
Received on Fri Dec 19 2003 - 10:48:31 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:18 MST