Proxy Servers: Proxy servers would keep a copy of, or cache o, that content
as well. Then, if another client were to request the same page soon
thereafter, the proxy would simply provide the cached content without rerequesting the same web page over the T-1.
Prevent bad things
Log Data: Access list for all HTTP(s) traffic
Cache Data: Copies of transacted objects for all HTTP(s) traffic
Proxy Logs: Typical proxy logs not only include elements like the time,
requesters's IP address, and URL, but also the result status of the request,
and sometimes the username that made it.
Blue Coat Proxy: is an appliance used widely in corporate enterprise
networks. It includes the built-in ability to perform SSL proxying.
Reverse Proxy: In this model, proxy servers generally broker requests from
a large number of clients systems to a smaller number of servers. Often, a
reverse proxy will provide load-balancing, compression, and other
performance-enhancing functionality.
Squid Proxy Server: Its an free, relatively easy to deploy but flexible
enough for complex deployments.
Three main forensically relevant elements
Configuration file: /etc/squid/[Link] -- the configuration files will
prove invaluable in determining the location and meaning of other
sources of evidence. The default conf file is generally kept in
/etc/squid/[Link]
Log files: /var/log/squid/* -- log files provide what is essentially an
access roster for all client requests that the proxy handled.
Cache Data: /var/spool/squid -- proxy's cache provide the responses
provided by web serve to client requests.
Squid listens on port 3128 (http_port 3128 in config file)
Access Control: In squid to aid in creating fine-grained behaviour based on
traffic characterstics access control list can be created. Below are some
criteria to create ACL.
IP based ACL
User Authentication
User-Agent
Day and Time
RegEx macting on requested URL
refresh_pattern option : This option controls how squid determines if the
objects in its cache are "FRESH" or "STALE". If an object in the cache is
deemed "STALE", the proxy server will attempt to retrieve a newer version
from the appropriate server, the re-cache the newly-update file.
Cache content live - Squid server providing the content also sets
parameters for how long the content should be cached. If these parameters
are not present Squid reverts to its configured defaults.
Format of configuration:
#
refresh_pattern
regex
min
^ftp:
pct
1440
max
20%
10080
RegEx: RegEx for requesr URL
Min: Minimum time object considered "FRESH"
Pct: Percentage of object's age at cache time for which it still be considered
"FRESH"
Max: Maximum time object considered "FRESH"
|"Fresh": Serve from Cache |"Stale": Verify state from
server
------------------------------------------------------------------------------------------------------->
|<----2.5hrs----->|<-----------30 min------------>|
Last-Modified
[server]
Date/Time
Cached
Cache Expiration
[Link]
Basically a cached object is:
FRESH if expires < now, else STALE
STALE if age > max
FRESH if lm-factor < percent, else STALE
FRESH if age < min
else STALE
Squid Logs: [Link]
Defaults:
UNIX Time Stamp ([Link])
Response time (ms)
Requestor IP/name
Cache status & HTTP status code
Reply size (bytes)
Request method (GET/POST/etc)
URL requested*
User name (if applicable)
Squid hierarchy status & server IP/peer name
MIME type
ex: 1339038269.433|531|[Link]|TCP MISS/200|17746|GET|
[Link]
Query strings are not logged by default. To enable this feature, add the following to
/etc/squid/[Link]
strip_query_terms of
