all my network clients are configured to use a proxy server for their internet usage. I need to know who bypassed it in order to completely enforce it.
I want to see all traffic that come from the network via IE or Firefox
as step 1 I'd like to be able to see all HTTP connections going out on ports 80\443
step 2 would separate by source - IE or FF
is it doable?
regex user-agent1 "[Mm][Oo][Zz][Ii][Ll][Ll][Aa]"
regex user-agent2 "[Mm][Ss][Ii][Ee]"
class-map type regex match-any mozilla
match regex user-agent1
class-map type regex match-any ie
match regex user-agent2
match port tcp eq www
policy-map type inspect http mozilla
match request header user-agent regex class mozilla
policy-map type inspect http ie
match request header user-agent regex class ie
inspect http mozilla
inspect http ie
service-policy INSIDE interface inside
logging list TEST message 415008
logging trap TEST
logging host <> x.x.x.x
you might want to send these messages to syslog server and 415008 is the syslog message number generated when http header is matched and logging config is to send those messages to syslog server.
Keep this link, it might come handy as it gives you the complete break-up of a http request. _http://djce.org.uk/dumprequest
This is not a very optimal solution but will get you started.