RE: [squid-users] Squid and Mirrored Router Ports

From: Dave Rhodes <DaveRhodes@dont-contact.us>
Date: Tue, 17 Apr 2007 15:23:02 -0400

Ed, are you sure your management doesn't mean SNORT? I think that's
what your looking for. It's a pretty good IDS system. Squid's pretty
serial in nature... What goes in must come out kind of thing. SNORT
sits on your backbone and passively monitors/records traffic.
Dave

-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Tuesday, April 17, 2007 3:11 PM
To: list@telpacific.com.au; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid and Mirrored Router Ports

Edward C. Jakosalem wrote:
>> Hi,
>>
>> Edward C. Jakosalem wrote:
>>>> tis 2007-04-17 klockan 20:55 +1000 skrev Edward C. Jakosalem:
>>>>
>>>>> I have posted this same problem before but I want to post it again

>>>>> because I am pressured to make this work with Squid. I know that
>>>>> Squid's use is
>>>>> either an accelerator or proxy or both. But we want Squid to
_only_
>>>>> capture web traffic and log them, that's all. As such, I have
>>>>> configured
>>>>> my server to act as transparent proxy.
>>>> I don't quite get what you are trying to do here.. Do you want
>>>> Squid to act as a transparent proxy by intercepting port 80 traffic

>>>> and have it redirected to Squid, or do you just want to audit the
>>>> port 80 traffic without actually touching the packets by just
>>>> listening on a switch mirror/monitor port?
>>> I actully just need squid to act as transparent proxy so I can log
>>> traffic. I don't care how squid will do this, I just need the logs.
>>> And the reason why we use the mirrored port is that we don't want
>>> browsing affected in case this server goes down.
>> So you want Squid to be in the path but don't want it to affect
>> anything if it goes down? That can't be done, unless you can use
>> WCCP to ignore it if it's down. Never played with WCCP so I don't
>> know if it's possible. I've always 'done the right thing' and told
>> my browsers about the proxy!
>>
>>
>>>> The first can be done by Squid, and any of the interception methods

>>>> will work. WCCP, Policy routing etc..
>>>>
>>>> The second is not a job for Squid. You need a packet
>>>> analyzer/auditor for this. There is quite many different ones
>>>> depending on what you are looking for..
>>> We specifically need the Squid log format that's why we want to make

>>> this work with squid. My boss doesn't want it any other way. :-(
>> Why must he have Squid format logs? What's his business reason for
>> having to have them in that format?
>
> I honestly don't know. But the aim is to have a record of our
> customers' browsing activities and retain the logs for 6 months.
>
>> Squid is probably the wrong tool for the job and won't work how
>> you've got it set up now so why not look around at other tools that
>> are designed for the job?
>
> I already did and told him that. I actually have a program called
> _packit_ up and running. I also found some other useful ones as well.
> But management said Squid can do it and if I can't make it to work,
> they will seek help from someone who knows how to. Hey, what's a lowly

> employee like me to do? :-(

Well, it seems to have come down to who you trust to know more about the

software: the people who wrote it, or your managers and whoever gave
them the idea that squid was capable.

Without knowing who yoru management are or their experience levels I am
thinking at this point that I have heard this story before. It sounds
like your management are not technical people and have been told by a
contact elsewhere that another business use squid to 'record logs of all

our customers activities' then jumped to conclusions.

Squid _can_ sit between your clients and the web and do it. But it does
need to be in the actual traffic path.

SO, you can take a proposal to your management (maybe with costings) for

a robust set of squid cache(s) to be your gateway to the net, you are in

the best position to know what is needed for your company given that
'cannot fail' requirement you mentioned earlier.

OR, I'm sure between us all we can work up a suitable large quote for
the work it would take a developer to make squid capable of sitting on a

mirror port. (I'll start the bidding randomly at a nice round $500k and
see where that goes if you like ;-).

OR, you can go back to your management with our (developers and expert
users) support for the argument that squid cannot do it in any known
version and get them to supply the source of their 'it can' information
to help you do it. As as side if they actually come up with a source
we'd like to know who's doing it.

Amos
Received on Tue Apr 17 2007 - 13:23:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT