[squid-users] TeamViewer and other http tunneled connections

[Markus]

I've got a Squid server (v. 3.5.x) configured that way, that only some
"banking sites" are allowed to be tunneled (spliced) - the rest of SSL
sites are bumped.
That works OK. I thought that it prevents me from illegal
tunneling-out by users. However recently I've realized that TeamViewer
is still able  to establish connection over my Squid.
Moreover user's PC are totally blocked on my firewall - they only have
access to the web via Squid-proxy (their browsers are proxy aware).

Of course I can block out teamviewer.com domain by ACL - and that
works. But I'm wondering if there is any way to prevent such
tunnel-connection in future. (I mean another -  mainly malicious
software)

I've captured some details using Etherreal and it looks like
Teamviewer app does a normal http GET request to the TeamViewer's ASP
script
http://master13.teamviewer.com/din.aspx?s=00000000&id=0&client=DynGate&rnd=144452645&p=10000001

TeamViewer's server response is an application/octet-stream , but it
contains an ID which is presumably used later in client's POST
request.

See: http://dev.3d.pl/tmp/teamv.png  (screenshot from Ethereal) and
TCP the stream http://dev.3d.pl/tmp/teamv.txt

My question is - does the TeamViewer tunnel traffic differ in any way
from normal http binary content transmission (eg. youtube or radio
streaming) ?


Can we somehow detect that this kind of transmission is probably a
tunnel traffic?

Sorry if my post is a bit chaotic, but I'm kinda confused now , how it works.

Please note - I'm not talking only about TeamViewer itself but in
general about HTTP-tunneled traffic.  Maybe an ICAP server could be
useful here? but how do I know what to look for? (how should
ACLs/rules look like)

or you want to tell me, that the only possible way is continuous
observation what's new "on market" and adding new rules?

many thanks for explanation!

Markus