First thing I'd do about logs is ensure that Proxy doesn't log to a file,
but to an ODBC database. There are scripts for creating the appropriate
database on the Proxy CD - naturally, they recommend Access or SQL Server,
and if you have the latter, that should do nicely for that number of users;
I've no doubt that you could create your db in Oracle or whatever just as
easily. That makes your logs easily queriable, which is a start.

Nick Palmer
IT Manager

> -----Original Message-----
> From: Steven Sporen [mailto:sporensecnet.co.za]
> Sent: 26 June 2001 21:37
> To: focus-mssecurityfocus.com
> Subject: Detecting internal users abusing the internet. MS-PROXY
>
>
> Hi,
>
> I have a situation where we have a large client who has about 5000
> employee's on their private network. All these users use MS
> Proxy through an
> internal cache network to exit onto the Internet. I was
> hoping someone could
> give some sensible advice regarding the monitoring and use of
> MS Proxy. Is
> it possible to detect if an internal user is for example port
> scanning site
> on the internet? Are there good tools for processing the log
> files of MS
> Proxy? Any other constructive comments would be appreciated!
>
> Thanks
> Steven
>

The information contained in this e-mail is intended only for the
individual to whom it is addressed. It may contain privileged and
confidential information. If you have received this message in
error or there are any problems, please notify the sender
immediately and delete the message from your computer. The
unauthorised use, disclosure, copying or alteration of this
message is forbidden. The Eric Wright Group will not be liable
for direct, special, indirect or consequential damage as a result
of any malicious program being passed on, or arising from alteration
of the contents of this message by a third party.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]