[squid-users] Clarification on icap

Alex Rousskov rousskov at measurement-factory.com
Mon Sep 26 14:30:09 UTC 2016


On 09/26/2016 05:41 AM, James Lay wrote:
> So I'm going to try and get some visibility into tls traffic.  Not
> concerned with the sslbumping of the traffic, but what I DON'T know what
> to do is what to do with the traffic once it's decrypted.  This squid
> machine runs IDS software as well, so my hope was to have the IDS
> software listen to traffic that'd decrypted, but for the life of me I'm
> not sure where to start.  Does squid pipe out a stream?  Or does the IDS
> listen to a different "interface"?  Is this where ICAP comes in? 

Squid-IDS integration is mostly independent from SslBump issues -- you
integrate traffic analysis of plain and secure traffic similarly. Your
options depend on IDS interfaces:

1. If IDS is content with passively looking at something Squid can log
(after the transaction is completed), then give IDS the logs (see
access_log and logformat directives). This is what Amos recommended in
his response. It is the best option if your IDS can use it.

2. If IDS is content with reacting to something Squid can log while
processing a message, then write or purchase a custom external ACL
script. External ACL input can be customized just like the access log.

3. If IDS needs access to message bodies, then use an ICAP or eCAP
service to give IDS whole messages. You may have to write or purchase
that service. How that service is going to give messages to IDS depends
on IDS interfaces. Some IDSes have APIs while others listen to raw
traffic (that a service can emulate and emit).


HTH,

Alex.



More information about the squid-users mailing list