[squid-users] Clarification on icap

James Lay jlay at slave-tothe-box.net
Mon Sep 26 14:16:45 UTC 2016


On 2016-09-26 06:50, Amos Jeffries wrote:
> On 27/09/2016 12:41 a.m., James Lay wrote:
>> Hey all,
>> 
>> So I'm going to try and get some visibility into tls traffic.  Not
>> concerned with the sslbumping of the traffic, but what I DON'T know
>> what to do is what to do with the traffic once it's decrypted.  This
>> squid machine runs IDS software as well, so my hope was to have the 
>> IDS
>> software listen to traffic that'd decrypted, but for the life of me 
>> I'm
>> not sure where to start.  Does squid pipe out a stream?  Or does the
>> IDS listen to a different "interface"?  Is this where ICAP comes in?
> 
> Keeping it secure is of high importance. So ensuring that any
> connections it goes over are securely encrypted somehow is important.
> 
> The best way to ensure data security is not to transmit it. What data
> does the IDS actually need? and can you 'log' only those details to a
> private pipe/socket the IDS is reading?
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Ah Amos...always vigilant...thank you.  Yea those are the questions I'm 
asking really...how can squid "present" the unencrypted data?  Pipe to a 
socket?  Log to a file?  Dump to a pcap?  As soon as I know the options 
of how squid can manipulate a session during bumping/decrypting, I'll be 
able to see if snort/suricata can "listen" to the data.  Does that make 
sense?  Thanks as always Amos.

James


More information about the squid-users mailing list