We have a pfSense setup with 2 WAN connections (3Mb/s and 17Mb/s) and are using tcpdump to log connection setup and dns requests. We'd like to analyze the places being connected to with an eye toward watching for trojans and other dial home programs. Are there any tools out there for this kind of analysis?
I've seen Tool do analyze web traffic per file and time period? and the answers there seem to be for looking at inbound traffic to a web server, where this is more a review of outbound traffic.
We aren't using squid because we haven't figured out how to get it to work in a fail over mode. With the asymmetric bandwidth connections we have some things that always go in/out over the 3Mb/s (like email) but we want the web stuff to go out over the 17Mb/s connection, unless it is down, then we want it to fail over to the 3Mb/s connection, and that is something we haven't figured out how to configure.
The other thing about this setup is that we'd like to watch for non-web traffic as well. We'd like to see what outbound connections are being made (chat clients, ssh.....). The primary usage is to watch for rogue activity. Something to help that activity raise a red flag......
If you want to monitor traffic for security reasons and alert based on this the tool for this is called a Intrusion Detection System (IDS).
A popular tool for this is Snort. You can run it on Windows or Linux (and maybe BSD?). I would put this is on a separate machine. It could then sniff the WAN traffic by having your switches run Mirror Ports for each of the WAN connections.
So WAN connections go through your switches (Probably in their own VLAN) and each has a mirror port. These Mirror ports are plugged into your IDS box so the IDS sees a copy of all the WAN traffic. If the IDS sees something funny in the WAN traffic it will send you an alert.
Squid should use either interface, whichever one the router has as a higher priority. How are you directing traffic to specific interfaces? Are you using firewall rules? (IE the gateway setting at the bottom of the rule creation page)
Note that if you are trying to balance it using rules, and you attempt to use squid in transparent proxy mode then the outbound traffic from it will always appear to come from the router's address and not the machine that originally requested it.
Snort is available as a package for pfSense, if your router machine is powerful enough to handle running it as well as it's normal duty.
Squid cannot be used as a transparent proxy with multi-wan connections on pfsense. The router has two addresses, but pfsense will only use the first wan connection, not any optional wan interface. No matter how you try to route the traffic, squid will ignore all those routing rules and only use the main default gateway for all traffic that it processes.