[squid-users] Squid + ICQ contest ;)
Yuri Voinov
yvoinov at gmail.com
Tue Oct 27 09:23:57 UTC 2015
Here is two parallel blocks of data: sniffing session from proxy box,
and the same time squid access.log entries:
root @ cthulhu / # snoop 192.168.100.103|grep icq
Using device aggr1 (promiscuous mode)
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9040
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9040
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
192.168.100.103 -> api.evip.icq.com HTTP C port=9041
api.evip.icq.com -> 192.168.100.103 HTTP R port=9041
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9042
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9045
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9045
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
192.168.100.103 -> api.evip.icq.com HTTP C port=9053
api.evip.icq.com -> 192.168.100.103 HTTP R port=9053
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9054
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9079
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9079
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
192.168.100.103 -> api.evip.icq.com HTTP C port=9080
api.evip.icq.com -> 192.168.100.103 HTTP R port=9080
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9081
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9093
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9093
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
192.168.100.103 -> api.evip.icq.com HTTP C port=9095
api.evip.icq.com -> 192.168.100.103 HTTP R port=9095
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9096
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9097
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9097
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
192.168.100.103 -> api.evip.icq.com HTTP C port=9098
api.evip.icq.com -> 192.168.100.103 HTTP R port=9098
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9099
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=9100
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=9100
root @ cthulhu / # snoop 192.168.100.103|grep icq
Using device aggr1 (promiscuous mode)
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP GET
/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxG
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
api.evip.icq.com -> 192.168.100.103 HTTP HTTP/1.1 200 OK
api.evip.icq.com -> 192.168.100.103 HTTP <?xml version="1.0"
encoding="UTF-8"?>
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
192.168.100.103 -> api.evip.icq.com HTTP C port=8980
api.evip.icq.com -> 192.168.100.103 HTTP R port=8980
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTPS C port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
bos-m028c-rdr1.blue.icq.net -> 192.168.100.103 HTTPS R port=8981
192.168.100.103 -> bos-m028c-rdr1.blue.icq.net HTTP
1445936940.849 115 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445936940&sig_sha256=95jne2nFyXVx9y7Vli9%2BnI91T3XlJpzheD95S9hz1aE%3D
- ORIGINAL_DST/178.237.23.232 text/xml
1445936991.001 118 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445936990&sig_sha256=MEhMMYwX%2F2lhxcax%2FmPT3ijCld4ONzCwRV4PqyyVYws%3D
- ORIGINAL_DST/178.237.23.232 text/xml
1445937041.165 119 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937041&sig_sha256=iF6pBtDiE8xS1LnGo8telVdTkZE8CAZmegpHDuKfBO8%3D
- ORIGINAL_DST/178.237.23.232 text/xml
1445937091.358 151 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937091&sig_sha256=SjJs4EefLVrqRX%2FXgW9zLsqzMyE0lF9Fi4OiCxdLynE%3D
- ORIGINAL_DST/178.237.23.232 text/xml
1445937162.916 524 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937162&sig_sha256=ud53qDTKRJCe49ReARVd27GP26p8HFXqDQ2eRQl84i4%3D
- ORIGINAL_DST/178.237.23.232 text/xml
1445937234.135 178 192.168.100.103 TCP_MISS/200 915 GET
http://api.icq.net/aim/startOSCARSession?a=%252FwQAAAAAAAE%252BiGDxFGvIdK4y2khHx5fs11JpPOUnTxGUw0U7YYD0Si5sIU1xiNQgqPzSapYWUeJjsNZL8bUpf7BFCVZ2sgNgL2qPMmt%252BsuZJ7AkiJKeXl%252BjFopgqLlgxyHxAyt5ieMGDf8z3erv81lqZcUek7uLw5LRE5imKzY2U7IIH3KaBrYi0i04%253D&buildNumber=9316&clientName=Mail.ru%20Windows%20Agent&clientVersion=5000&distId=20000&f=xml&k=ic1nmMjqg7Yu-0hL&language=ru-RU&majorVersion=65&minorVersion=5&pointVersion=0&port=443&ts=1445937233&sig_sha256=6vu4TvwMVs57kmRwuKJQ9SZ8Za9V6jlFUOlUsdg3sl4%3D
- ORIGINAL_DST/178.237.23.232 text/xml
Note: Also ICQ uses non-visible sessions on transparent proxy box over
port 5190 in parallel.
27.10.15 3:14, Amos Jeffries пишет:
> On 27/10/2015 9:36 a.m., Yuri Voinov wrote:
>> The problem is: I can't see most part of ICQ traffic. Because of it uses
>> non-HTTP/HTTPS/FTP ports. Only with sniffer.
> Okay, that should not matter much. That part of the traffic there is
> nothing we can do about in Squid.
>
>> Looks like this:
>>
>> 1. Login starts over 5190 port with CONNECT method. And normal squid's
>> config blocks it - this is non-SSL port.
> Nod.
>
>> 2. If we add this port to SSL_ports acl, connect starts via HTTP over
>> HTTPS port. Squid's prohibit it too. If we relax config (and make it
>> less secure!), login phase goes next step.
> Pause, how does Squid prohibit that _exactly_ ?
>
> Maybe somebody else can find a way to do it without loosing security.
>
>
>> 3. And finally Squid got XML-answer via HTTP/HTTPS, which is visible by
>> squid, and at this moment client got "Login denied, check
>> login/password". Whenever right or wrong password.
> Okay. That sounds a bit like it could be from something Squid is adding
> (or not adding).
>
> Actually seeing those request and reply messages here would help a lot.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list