3

My company is offering public wireless in a number of locations. Access is controlled by an OpenBSD box running pf and Squid in transparent proxy mode. Using a tool like SARG, I can easily generate an HTML report that shows IP addresses and amount of data transferred. However, utilizing the data requires a human to look at the generated log and see if there is a problem.

I was wondering if there was any tool I could use to send us an alert if a single user exceeded a certain threshold of data transfer? Something that would analyze the log like SARG, but rather than generating a report simply send an e-mail if any "problems" are detected.

Edit 1-as squid is set up as a transparent proxy, there are no "users" per-se. Rather, it logs IP's which I can match up to MAC addresses using the DHCP logs. I'm just looking for something that can send me an e-mail if a given IP transfers more than x amount of data in a given time period.

ibrewster
  • 75
  • 2
  • 8
  • 2
    Does this setup actually identify users via an authentication mechanism? If not, it would be very hard to differentiate between a user and any other generic client. Especially if the IP addresses get re-used over time. – SpacemanSpiff Aug 22 '11 at 19:45
  • It gives the IP addresses of the clients, which I can match up to mac address using the DHCP logs. I make no distinction between different devices connecting. The idea being that if I see a pattern of high usage from a given client, I want to know about it. – ibrewster Aug 22 '11 at 21:45
  • I wish I could be of more direct help, but either a squid modification/plugin or log analyzer is likely to be the best solution if I had to guess, I hope this helps! – SpacemanSpiff Aug 22 '11 at 22:59
  • I have built systems that do this using flow-tools for the data management. I will be interested to see if you are able to get any answers tha include actual tools that do this (and are open source). – polynomial Aug 23 '11 at 00:29

1 Answers1

1

Periodic use of pfctl -s state -v and some use of AWK would work.

The above command also includes the session age.

You'd have to poll fairly regularly and make use of a cronjob or similar and do some scripting magic to aggregate IP addresses, but it would work.

Rob

Robert Keizer
  • 134
  • 2