So that looks cool, but I guess I don't understand what you'd do with it at that point. ?
You've to remind yourself for what purpose uce & uca counters on servstats page as well as loggings to syslog were added in the v2.1. Log entries that I'm referring to are like these:
Code:
May 30 05:20:36 Phaeo pixelserv-tls[949]: handshake failed: unknown cert. client 192.168.1.113:50141 server app-measurement.com
May 30 05:21:06 Phaeo pixelserv-tls[949]: handshake failed: unknown cert. client 192.168.1.113:50142 server googleads.g.doubleclick.net
May 30 05:21:07 Phaeo pixelserv-tls[949]: handshake failed: unknown cert. client 192.168.1.113:50144 server googleads.g.doubleclick.net
The TLS handshake section on the manpage could serve as a good reminder.
I had been manually looking in syslog for suspicious connections from LAN clients to rogue servers. The script automates the process and reduces manual work to minimum. It presents a concise summary and only new alerts.
Upon receiving the email notification, I can focus right away on the new alerts and confirm malicious nature or not... that actually requires me to spend time on.