On Wed, Oct 20, 2004 at 05:13:36PM -0500, Chris Frederick wrote: > >What I ended up doing was set up a squid cache proxy on my firewall, > >then in my firewall ruleset redirect outgoing port 80 to localhost 3129 > >(i think that's the right port..). > > > >Squid by default logs all activity. There's a nice squid log analyzer > >called sarg that creates nice traffic reports per IP. > > That would be great, could you send me a snip of a report? The sarg > site has a sample up and it looks great, but all it shows is the HOST, > and not the GET. If it can show the GET lines, then you can see exactly > what files were accessed on the site. If the site is something like > members.tripod.com, the GET line could be either "GET > /~linux_user/index.php" or "GET /~ms_user/exploits.asp". One is clearly > more devious than the other, but if all that is known is the HOST, you > can't tell if it was ok or not. I only ran sarg long enough to check it out - I don't like the privacy invasion, either, unless I have to (i.e. the PHB tells me to). I'll put the sample that I have up at http://therub.org/squid-reports. It looks like it only breaks it up by domains - if you want specific GET requests you'll have to grep the squid access log yourself, probably. It seems like looking by domain would be sufficient, thoguh - at least to get an idea the sites that are being frequented (check out the "Topsites" report). The squid.conf file is enormous, and has setting to block based on a regular expression against the url, domain based, etc - and can be really useful for blocking malicious content, if you need to eventually. > Are you doing anything for IM (msn/icq/aol/yahoo)? These are the tricky > ones since most traffic will be sent to a server, I'll probably have to > analyze the content instead, maybe by a keyword search or something (I > don't want to steal ALL of the kids' privacy). No, I wouldn't know where to start on that.. Good luck let me know if you come up with a clever solution! dan _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list