On Wed, Oct 20, 2004 at 05:13:36PM -0500, Chris Frederick wrote:
> >What I ended up doing was set up a squid cache proxy on my firewall,
> >then in my firewall ruleset redirect outgoing port 80 to localhost 3129
> >(i think that's the right port..).
> >
> >Squid by default logs all activity.  There's a nice squid log analyzer
> >called sarg that creates nice traffic reports per IP.
> 
> That would be great, could you send me a snip of a report?  The sarg 
> site has a sample up and it looks great, but all it shows is the HOST, 
> and not the GET.  If it can show the GET lines, then you can see exactly 
> what files were accessed on the site.  If the site is something like 
> members.tripod.com, the GET line could be either "GET 
> /~linux_user/index.php" or "GET /~ms_user/exploits.asp".  One is clearly 
> more devious than the other, but if all that is known is the HOST, you 
> can't tell if it was ok or not.

I only ran sarg long enough to check it out - I don't like the privacy
invasion, either, unless I have to (i.e. the PHB tells me to).  I'll put
the sample that I have up at http://therub.org/squid-reports.  It looks
like it only breaks it up by domains - if you want specific GET requests
you'll have to grep the squid access log yourself, probably.  It seems
like looking by domain would be sufficient, thoguh - at least to get an
idea the sites that are being frequented (check out the "Topsites"
report).

The squid.conf file is enormous, and has setting to block based on a
regular expression against the url, domain based, etc - and can be
really useful for blocking malicious content, if you need to eventually.

> Are you doing anything for IM (msn/icq/aol/yahoo)?  These are the tricky 
> ones since most traffic will be sent to a server, I'll probably have to 
> analyze the content instead, maybe by a keyword search or something (I 
> don't want to steal ALL of the kids' privacy).

No, I wouldn't know where to start on that..

Good luck let me know if you come up with a clever solution!
dan


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list