[squid-users] How to extract decrypted traffic for further analysis using Snort?

Alex Rousskov rousskov at measurement-factory.com
Mon Mar 11 23:53:52 UTC 2019


On 3/11/19 1:53 PM, Felipe Arturo Polanco wrote:

> I'm trying to find a way to get the HTTP traffic analysed after being
> decrypted, by using Snort.
> 
> Does someone know how to do this? I can redirect IP traffic with regular
> HTTP into Snort but I haven't found a way inside squid to do the same.

I believe a similar question has been answered a few years ago, and that
answer is still valid. I will quote that exchange below for your
convenience, but the source is at
http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html

Item 3 includes an ICAP option that Antony suggested on this thread, and
I know there are eCAP adapters that implement raw HTTP traffic emulation
mentioned there.

Alex.

On 09/26/2016, Alex Rousskov wrote:

> On 09/26/2016 05:41 AM, James Lay wrote:
>> So I'm going to try and get some visibility into tls traffic.  Not
>> concerned with the sslbumping of the traffic, but what I DON'T know what
>> to do is what to do with the traffic once it's decrypted.  This squid
>> machine runs IDS software as well, so my hope was to have the IDS
>> software listen to traffic that'd decrypted, but for the life of me I'm
>> not sure where to start.  Does squid pipe out a stream?  Or does the IDS
>> listen to a different "interface"?  Is this where ICAP comes in? 

> Squid-IDS integration is mostly independent from SslBump issues -- you
> integrate traffic analysis of plain and secure traffic similarly. Your
> options depend on IDS interfaces:
> 
> 1. If IDS is content with passively looking at something Squid can log
> (after the transaction is completed), then give IDS the logs (see
> access_log and logformat directives). This is what Amos recommended in
> his response. It is the best option if your IDS can use it.
> 
> 2. If IDS is content with reacting to something Squid can log while
> processing a message, then write or purchase a custom external ACL
> script. External ACL input can be customized just like the access log.
> 
> 3. If IDS needs access to message bodies, then use an ICAP or eCAP
> service to give IDS whole messages. You may have to write or purchase
> that service. How that service is going to give messages to IDS depends
> on IDS interfaces. Some IDSes have APIs while others listen to raw
> traffic (that a service can emulate and emit).


More information about the squid-users mailing list