[unisog] Ideas on Detecting Proxy Use?

Andrew Cormack A.Cormack at ukerna.ac.uk
Thu Apr 25 07:58:32 GMT 2002

Squid used to append its name to that of the browser in the user-agent HTTP
header (it's a couple of years since I ran a squid though). To see that at a
firewall you need to be able to look inside the packet, but it should be
easily available to the server (or your inbound proxy). I'm not aware of any
difference at the TCP or IP layers


> -----Original Message-----
> From: Von Elm, William J [mailto:billve at bnl.gov]
> Sent: 25 April 2002 00:48
> To: 'unisog at sans.org'
> Subject: [unisog] Ideas on Detecting Proxy Use?
> Hi All,
>    Does anybody have any insight or references on how to 
> determine if the
> traffic inbound to a webserver is coming from a proxy such as 
> AnalogX or
> Squid?  Do these proxies use a predictable range of source 
> ports or are
> there any other characteristics that can serve to 'fingerprint' them?
> Thanks in advance for your thoughts.
> --
> Bill Von Elm
> Brookhaven Nat'l Laboratory
> billve at bnl.gov

More information about the unisog mailing list