[squid-users] Clarification on icap
James Lay
jlay at slave-tothe-box.net
Mon Sep 26 14:16:45 UTC 2016
On 2016-09-26 06:50, Amos Jeffries wrote:
> On 27/09/2016 12:41 a.m., James Lay wrote:
>> Hey all,
>>
>> So I'm going to try and get some visibility into tls traffic. Not
>> concerned with the sslbumping of the traffic, but what I DON'T know
>> what to do is what to do with the traffic once it's decrypted. This
>> squid machine runs IDS software as well, so my hope was to have the
>> IDS
>> software listen to traffic that'd decrypted, but for the life of me
>> I'm
>> not sure where to start. Does squid pipe out a stream? Or does the
>> IDS listen to a different "interface"? Is this where ICAP comes in?
>
> Keeping it secure is of high importance. So ensuring that any
> connections it goes over are securely encrypted somehow is important.
>
> The best way to ensure data security is not to transmit it. What data
> does the IDS actually need? and can you 'log' only those details to a
> private pipe/socket the IDS is reading?
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Ah Amos...always vigilant...thank you. Yea those are the questions I'm
asking really...how can squid "present" the unencrypted data? Pipe to a
socket? Log to a file? Dump to a pcap? As soon as I know the options
of how squid can manipulate a session during bumping/decrypting, I'll be
able to see if snort/suricata can "listen" to the data. Does that make
sense? Thanks as always Amos.
James
More information about the squid-users
mailing list