Re: configure squid to cache sites
On Tue, Jul 06, 2004 at 11:29:04AM -0600, Lucas Albers wrote:
> Thought I would share my squid configuration to allow caching of
> windowsupdate/mcafee and similar for clients.
> Needs ims config to work correctly.
> Sure saves bandwidth, and vastly speeds up updates, for windows clients.
> Not a transparent configuration.
> http://www.mail-archive.com/debian-user@lists.debian.org/msg107772.html
a useful set of refresh_patterns for squid.
there was one typo ("*." rather than ".*") in the first regexp, and three of
the regexps could be re-written in a more generic form, so that they're not
tied to particular versions of the service packs.
also, a literal "." should always be written as "\." in a regexp, otherwise it
matches *any* character.
# refresh patterns to enable caching of MS windows update
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160
reload-into-ims
refresh_pattern http://office\.microsoft\.com/0 80% 20160
reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160
reload-into-ims
# the next two can be rewritten as one regexp, which should also match other
# SP versions.
#refresh_pattern http://wxpsp2\.microsoft\.com/ 0 80% 20160
reload-into-ims
#refresh_pattern http://xpsp1\.microsoft\.com/0 80% 20160
reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160
reload-into-ims
# ditto for the next one.
#refresh_pattern http://w2ksp4\.microsoft\.com/ 0 80% 20160
reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/0 80% 20160
reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160
reload-into-ims
# and some other windows updaters
refresh_pattern http://download\.macromedia\.com/ 0 80% 20160
reload-into-ims
refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160
reload-into-ims
refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160
reload-into-ims
craig
--
craig sanders <[EMAIL PROTECTED]>
The next time you vote, remember that "Regime change begins at home"
Re: configure squid to cache sites
On Tue, Jul 06, 2004 at 11:29:04AM -0600, Lucas Albers wrote:
> Thought I would share my squid configuration to allow caching of
> windowsupdate/mcafee and similar for clients.
> Needs ims config to work correctly.
> Sure saves bandwidth, and vastly speeds up updates, for windows clients.
> Not a transparent configuration.
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg107772.html
a useful set of refresh_patterns for squid.
there was one typo ("*." rather than ".*") in the first regexp, and three of
the regexps could be re-written in a more generic form, so that they're not
tied to particular versions of the service packs.
also, a literal "." should always be written as "\." in a regexp, otherwise it
matches *any* character.
# refresh patterns to enable caching of MS windows update
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
# the next two can be rewritten as one regexp, which should also match other
# SP versions.
#refresh_pattern http://wxpsp2\.microsoft\.com/ 0 80% 20160 reload-into-ims
#refresh_pattern http://xpsp1\.microsoft\.com/0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
# ditto for the next one.
#refresh_pattern http://w2ksp4\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
# and some other windows updaters
refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims
refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims
craig
--
craig sanders <[EMAIL PROTECTED]>
The next time you vote, remember that "Regime change begins at home"
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/debian-user@lists.debian.org/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the
computers on my network.
It has been working great.
I've also been using bleedingsnort.org for some updated rule sets for
virus threats and similar.
I have been unable to configure the portscan detection to work correctly.
My software versions are:
snort-mysql:2.1.2-2
acidlab:0.9.6b20-2
Could someone please send me the configuration they used to get the
portscanning to work correctly?
I've played around with the examples and similar and am not sure why it is
not working correctly.
The open source book:
"bruce peren's open source series: Advanced IDS techniques using
snort,apache, mysql php, and acidlab"
does not cover this.
my snort.conf file:
var HOME_NET
[xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
3 server-watchnet $HOME_NET server-ign
ore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanne
r-sliding-scale-factor 0.50 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb
oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net
[xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output log_tcpdump: snort.log
output database: log, mysql, user=xx password=xxx dbname=snort host=localhost
output database: alert, mysql, user=xx password=xxx dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include threshold.conf
--
--Luke CS Sysadmin, Montana State University-Bozeman
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/[EMAIL PROTECTED]/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the
computers on my network.
It has been working great.
I've also been using bleedingsnort.org for some updated rule sets for
virus threats and similar.
I have been unable to configure the portscan detection to work correctly.
My software versions are:
snort-mysql:2.1.2-2
acidlab:0.9.6b20-2
Could someone please send me the configuration they used to get the
portscanning to work correctly?
I've played around with the examples and similar and am not sure why it is
not working correctly.
The open source book:
"bruce peren's open source series: Advanced IDS techniques using
snort,apache, mysql php, and acidlab"
does not cover this.
my snort.conf file:
var HOME_NET
[xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
3 server-watchnet $HOME_NET server-ign
ore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanne
r-sliding-scale-factor 0.50 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb
oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net
[xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output log_tcpdump: snort.log
output database: log, mysql, user=xx password=xxx dbname=snort host=localhost
output database: alert, mysql, user=xx password=xxx dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include threshold.conf
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
