[squid-users] Additional ecap/icap questions

James Lay jlay at slave-tothe-box.net
Wed Oct 19 14:13:32 UTC 2016 

On 2016-10-17 15:01, Alex Rousskov wrote:
> On 10/17/2016 11:51 AM, James Lay wrote:
> 
>> Here's what I'm wanting to accomplish and it's been proving a 
>> challenge:
>>  Detect keywords (think DLP maybe) in http/https flows.  I've got ecap
>> and icap compiled in and working.  My challenges:
>> 
>> a)with icap, it appears that the filter content adapters only work 
>> with
>> responses, not requests....I need both.
> 
> It depends on the ICAP service. Some work with requests, some with
> responses, some with both kinds of messages.
> 

I'm specifically looking at 
http://c-icap.sourceforge.net/c-icap-modules.conf-0.4.x.html#tag_srv_content_filtering_MaxBodyData. 
  This looks like it will do what I need, but as from my previous posts, 
it appears it only works with RESPMOD, not requests.

>> b)with icap, if I use the "echo" adapter I can see everything on the 
>> lo
>> interface, but decoding it has proven fruitless for me
> 
> If you are trying to manually decode ICAP traffic on a loopback
> interface, please clarify what you are trying to accomplish with that.

I'm trying to match text in a stream, somehow.  Either with the above 
icap method, which would appear to be designed for this purpose, but 
only responses not request, or by decoding the stream and sending the 
decoded traffic to an interface where an IDS can match content.  In 
short, if someone drops an f-bomb in a chat let's say, I want it known.

> 
>> c)with ecap, I configured per
>> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP,
>> but I'm confused on the ecap_service line..examples show
>> "ecap://www.vigos.com/ecap_gzip", but what do I put in?
> 
> Just like with ICAP, you configure an eCAP adapter/service that you 
> want
> to use. I do not know whether it exists or needs to be written. For
> example, if you want to find viruses, you can use an eCAP ClamAV 
> adapter.
> 
> 
>> I thought I
>> didn't need a service for ecap..do I point this to localhost or 
>> something?
> 
> With eCAP, you do not need a server. With both ICAP and eCAP you need a
> service or "adapter" that does whatever you want to do. ICAP and eCAP
> are just protocols/API -- they cannot do anything useful on their own.
> 
> The eCAP service URI is just an identifier. It does not "point" to any
> specific location. It is only used to distinguish one loaded eCAP
> service from another loaded eCAP service.
> 
> 
> Overall, you need some software that will "detect keywords". That
> detection is not going to happen magically on its own. ICAP and eCAP 
> are
> just two ways to get the HTTP messages to that software. Some call that
> _kind_ of software "ICAP service", "ICAP server plugin", "eCAP 
> service",
> "eCAP adapter", etc. You need to find or write a specific
> service/plugin/adapter/etc. that does keyword detection.
> 
> Alex.

Thanks Alex....I can't imagine that I'm the only one wanting to do this 
purely with open source software, but it appears that way.

James

More information about the squid-users mailing list