[squid-users] Clarification on icap

James Lay jlay at slave-tothe-box.net
Mon Sep 26 14:43:13 UTC 2016


On 2016-09-26 08:30, Alex Rousskov wrote:
> On 09/26/2016 05:41 AM, James Lay wrote:
>> So I'm going to try and get some visibility into tls traffic.  Not
>> concerned with the sslbumping of the traffic, but what I DON'T know 
>> what
>> to do is what to do with the traffic once it's decrypted.  This squid
>> machine runs IDS software as well, so my hope was to have the IDS
>> software listen to traffic that'd decrypted, but for the life of me 
>> I'm
>> not sure where to start.  Does squid pipe out a stream?  Or does the 
>> IDS
>> listen to a different "interface"?  Is this where ICAP comes in?
> 
> Squid-IDS integration is mostly independent from SslBump issues -- you
> integrate traffic analysis of plain and secure traffic similarly. Your
> options depend on IDS interfaces:
> 
> 1. If IDS is content with passively looking at something Squid can log
> (after the transaction is completed), then give IDS the logs (see
> access_log and logformat directives). This is what Amos recommended in
> his response. It is the best option if your IDS can use it.
> 
> 2. If IDS is content with reacting to something Squid can log while
> processing a message, then write or purchase a custom external ACL
> script. External ACL input can be customized just like the access log.
> 
> 3. If IDS needs access to message bodies, then use an ICAP or eCAP
> service to give IDS whole messages. You may have to write or purchase
> that service. How that service is going to give messages to IDS depends
> on IDS interfaces. Some IDSes have APIs while others listen to raw
> traffic (that a service can emulate and emit).
> 
> 
> HTH,
> 
> Alex.

Ah..there's the rub Alex thanks.  I already have rock solid access 
controls with squids acl's and great logging.  Now I find that I need to 
inspect the actual content, i.e. message bodies.  So cool..I'm on the 
right track for ICAP or eCAP.  So, from what I've read, it appears that 
squid sends the data to a listening ICAP/eCAP service, which in turn the 
IDS can access, depending on the IDS...is that about right?

James


More information about the squid-users mailing list