Re: configure squid to cache sites
On Tue, Jul 06, 2004 at 11:29:04AM -0600, Lucas Albers wrote: > Thought I would share my squid configuration to allow caching of > windowsupdate/mcafee and similar for clients. > Needs ims config to work correctly. > Sure saves bandwidth, and vastly speeds up updates, for windows clients. > Not a transparent configuration. > http://www.mail-archive.com/debian-user@lists.debian.org/msg107772.html a useful set of refresh_patterns for squid. there was one typo ("*." rather than ".*") in the first regexp, and three of the regexps could be re-written in a more generic form, so that they're not tied to particular versions of the service packs. also, a literal "." should always be written as "\." in a regexp, otherwise it matches *any* character. # refresh patterns to enable caching of MS windows update refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://office\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims # the next two can be rewritten as one regexp, which should also match other # SP versions. #refresh_pattern http://wxpsp2\.microsoft\.com/ 0 80% 20160 reload-into-ims #refresh_pattern http://xpsp1\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims # ditto for the next one. #refresh_pattern http://w2ksp4\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://w2ksp[0-9]\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims # and some other windows updaters refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims craig -- craig sanders <[EMAIL PROTECTED]> The next time you vote, remember that "Regime change begins at home"
Re: configure squid to cache sites
On Tue, Jul 06, 2004 at 11:29:04AM -0600, Lucas Albers wrote: > Thought I would share my squid configuration to allow caching of > windowsupdate/mcafee and similar for clients. > Needs ims config to work correctly. > Sure saves bandwidth, and vastly speeds up updates, for windows clients. > Not a transparent configuration. > http://www.mail-archive.com/[EMAIL PROTECTED]/msg107772.html a useful set of refresh_patterns for squid. there was one typo ("*." rather than ".*") in the first regexp, and three of the regexps could be re-written in a more generic form, so that they're not tied to particular versions of the service packs. also, a literal "." should always be written as "\." in a regexp, otherwise it matches *any* character. # refresh patterns to enable caching of MS windows update refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://office\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims # the next two can be rewritten as one regexp, which should also match other # SP versions. #refresh_pattern http://wxpsp2\.microsoft\.com/ 0 80% 20160 reload-into-ims #refresh_pattern http://xpsp1\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims # ditto for the next one. #refresh_pattern http://w2ksp4\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://w2ksp[0-9]\.microsoft\.com/0 80% 20160 reload-into-ims refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims # and some other windows updaters refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims craig -- craig sanders <[EMAIL PROTECTED]> The next time you vote, remember that "Regime change begins at home" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/debian-user@lists.debian.org/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the computers on my network. It has been working great. I've also been using bleedingsnort.org for some updated rule sets for virus threats and similar. I have been unable to configure the portscan detection to work correctly. My software versions are: snort-mysql:2.1.2-2 acidlab:0.9.6b20-2 Could someone please send me the configuration they used to get the portscanning to work correctly? I've played around with the examples and similar and am not sure why it is not working correctly. The open source book: "bruce peren's open source series: Advanced IDS techniques using snort,apache, mysql php, and acidlab" does not cover this. my snort.conf file: var HOME_NET [xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0 /24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker 3 server-watchnet $HOME_NET server-ign ore-limit 200 server-rows 65535 server-learning-time 14400 server-scanner-limit 4 scanner-sliding-window 20 scanne r-sliding-scale-factor 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net [xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on output log_tcpdump: snort.log output database: log, mysql, user=xx password=xxx dbname=snort host=localhost output database: alert, mysql, user=xx password=xxx dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding.rules include threshold.conf -- --Luke CS Sysadmin, Montana State University-Bozeman
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/[EMAIL PROTECTED]/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the computers on my network. It has been working great. I've also been using bleedingsnort.org for some updated rule sets for virus threats and similar. I have been unable to configure the portscan detection to work correctly. My software versions are: snort-mysql:2.1.2-2 acidlab:0.9.6b20-2 Could someone please send me the configuration they used to get the portscanning to work correctly? I've played around with the examples and similar and am not sure why it is not working correctly. The open source book: "bruce peren's open source series: Advanced IDS techniques using snort,apache, mysql php, and acidlab" does not cover this. my snort.conf file: var HOME_NET [xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0 /24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: talker-sliding-scale-factor 0.50 talker-fixed-threshold 30 talker-sliding-threshold 30 talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker 3 server-watchnet $HOME_NET server-ign ore-limit 200 server-rows 65535 server-learning-time 14400 server-scanner-limit 4 scanner-sliding-window 20 scanne r-sliding-scale-factor 0.50 scanner-fixed-threshold 15 scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net [xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on output log_tcpdump: snort.log output database: log, mysql, user=xx password=xxx dbname=snort host=localhost output database: alert, mysql, user=xx password=xxx dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules include $RULE_PATH/bleeding.rules include threshold.conf -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]