[Sysadmins] Sysadmins Digest, Vol 9, Issue 5

Alan Doherty alan at alandoherty.net
Tue Mar 16 02:03:10 GMT 2010


At 12:00 15/03/2010  Monday, sysadmins-request at lists.stdlib.net wrote:
>Date: Sun, 14 Mar 2010 19:24:38 +0000
>From: FRLinux <frlinux at gmail.com>
>Subject: Re: [Sysadmins] Firewalls.
>To: Irish System Adminstrators discussion <sysadmins at lists.stdlib.net>
>Message-ID:
>        <a8139f991003141224o35c03380j226c17f0b98bc2b4 at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On Sun, Mar 14, 2010 at 2:03 PM, Alan Doherty <alan at alandoherty.net> wrote:
>> I use squid internally directly configured in users browser {transparent proxy is i find counterproductive as you help-proxy malware too, and cant detect/distinguish between configured clients and un configured clients{potential malware}
>
>Mmmh, care to detail on that one?

well its as it says, most Trojans will attempt a direct port 80 to command&control/update-server if http-capable
before failing back to using browser proxy {as they know most proxies are used to provide better logging/filtering} and would prefer to use direct http if possible

thus they raise an alarm on the firewall {once, un repeated usually}
no browser will ever attempt direct connect if proxy configured 
{thus no legit software triggers alarms except for new installs {which are expected} that need configuring after opening}

if you transparent proxy, legit and non-legit softwares traffic is intercepted and proxied so no way to distinguish or alarm on attempts to bypass proxy
you might spot the malware in the logs but good luck identifying it in a busy environment

obviously in a heavy IT based house new-installs are frequent so its less useful, but on a brokers premises or an accountants its pretty clear cut trojan{or other non-trojan but non IT approved/installed software} sign to see an attempt to port 80 outbound from a desktop that is configured to use the proxy




More information about the Sysadmins mailing list