Find highest users of a specific protocol

jcoehoorn · 10-31-2011, 10:29 AM

This semester I'm seeing an increase in the number of students using SOCKS 5 to get around our filters. I suspect they are using additional software to automatically set and keep changing the proxy, to avoid having the proxy they are currently using blocked from under them.

Prior experiments have shown that I can't block or even severely throttle SOCKS 5 traffic, as the protocol match has way too many false positives. So what I want to do instead is pull the worst abusers out from each day's reports and put them into a special rack that blocks all SOCKS 5 traffic.

Unfortunately, I don't see a way currently in the reports to show top users within specific protocols. I tried downloading all protocol events and massaging the data in excel, but the process is proving cumbersome.. it will take up too much of my time to keep up with it. SOCKS 5 isn't the biggest protocol detected in my reports, and so I can't just use all detections as proxy.

Is there an easier way to do this?

10-31-2011, 10:29 AM	#1 (permalink)
jcoehoorn Master Untangler Join Date: Mar 2010 Location: York, NE Posts: 475	Find highest users of a specific protocol This semester I'm seeing an increase in the number of students using SOCKS 5 to get around our filters. I suspect they are using additional software to automatically set and keep changing the proxy, to avoid having the proxy they are currently using blocked from under them. Prior experiments have shown that I can't block or even severely throttle SOCKS 5 traffic, as the protocol match has way too many false positives. So what I want to do instead is pull the worst abusers out from each day's reports and put them into a special rack that blocks all SOCKS 5 traffic. Unfortunately, I don't see a way currently in the reports to show top users within specific protocols. I tried downloading all protocol events and massaging the data in excel, but the process is proving cumbersome.. it will take up too much of my time to keep up with it. SOCKS 5 isn't the biggest protocol detected in my reports, and so I can't just use all detections as proxy. Is there an easier way to do this? __________________ Three time Microsoft ASP.Net MVP managing an IBM System x3250 / X3440 / 8GB with Untangle 9.2 to protect 40Mbits for 450+ residential college students and associated staff and faculty

Protect

Filter

Perform

Connect

Manage

Add-Ons