IDS mailing list archives
Re: how to detect http tunnel?
From: "Kurt Seifried" <bt () seifried org>
Date: Mon, 3 Feb 2003 17:44:31 -0800
hi, my environment here is squid/linux serving 1000 users. i need to detect any proxy request which could be a http tunnel connection (e.g. p2p). can anyone give me hint which IDS or tool (e.g. squid patch) (free or commercal) can detect suspicious proxy connections, or send me weblink to tech. paper on this topic? thank you bobr.
Use squid acl's tto block outgoing access to ports other then 80, 443 and whatever else you consider "safe". Please note that of course users can still put tunnels through these. Blocking the "CONNECT" method would largely block tunneling software, however this would also break HTTPS for most clients. Probably the best advice is to simply log and then check logs for suspicious activity, I assume your AUP/TOS says no proxying software, this is generally better dealt with as a social issue then a technical issue (as a savvy user if I can access my external web server on port 80, I can use it as a proxy). Ultimately you can't block all proxy connections, data embedded in images or base64 encoded responses, etc. Trying to do so leads to vendors doing things to get aroundit, Microsoft and SOAP for example (which goes through firewalls like industrial strength laxative). Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- how to detect http tunnel? bobr (Feb 03)
- Re: how to detect http tunnel? Kurt Seifried (Feb 05)