[squid-users] How to extract decrypted traffic for further analysis using Snort?
eliezer at ngtech.co.il
eliezer at ngtech.co.il
Tue Mar 12 06:40:53 UTC 2019
+1
The main issue is websockets.
Since Squid doesn't have websockets related code implemented in a public code
the Squid instance would break more then one connection.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
Sent: Tuesday, March 12, 2019 01:54
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] How to extract decrypted traffic for further analysis using Snort?
On 3/11/19 1:53 PM, Felipe Arturo Polanco wrote:
> I'm trying to find a way to get the HTTP traffic analysed after being
> decrypted, by using Snort.
>
> Does someone know how to do this? I can redirect IP traffic with regular
> HTTP into Snort but I haven't found a way inside squid to do the same.
I believe a similar question has been answered a few years ago, and that
answer is still valid. I will quote that exchange below for your
convenience, but the source is at
http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html
Item 3 includes an ICAP option that Antony suggested on this thread, and
I know there are eCAP adapters that implement raw HTTP traffic emulation
mentioned there.
Alex.
On 09/26/2016, Alex Rousskov wrote:
> On 09/26/2016 05:41 AM, James Lay wrote:
>> So I'm going to try and get some visibility into tls traffic. Not
>> concerned with the sslbumping of the traffic, but what I DON'T know what
>> to do is what to do with the traffic once it's decrypted. This squid
>> machine runs IDS software as well, so my hope was to have the IDS
>> software listen to traffic that'd decrypted, but for the life of me I'm
>> not sure where to start. Does squid pipe out a stream? Or does the IDS
>> listen to a different "interface"? Is this where ICAP comes in?
> Squid-IDS integration is mostly independent from SslBump issues -- you
> integrate traffic analysis of plain and secure traffic similarly. Your
> options depend on IDS interfaces:
>
> 1. If IDS is content with passively looking at something Squid can log
> (after the transaction is completed), then give IDS the logs (see
> access_log and logformat directives). This is what Amos recommended in
> his response. It is the best option if your IDS can use it.
>
> 2. If IDS is content with reacting to something Squid can log while
> processing a message, then write or purchase a custom external ACL
> script. External ACL input can be customized just like the access log.
>
> 3. If IDS needs access to message bodies, then use an ICAP or eCAP
> service to give IDS whole messages. You may have to write or purchase
> that service. How that service is going to give messages to IDS depends
> on IDS interfaces. Some IDSes have APIs while others listen to raw
> traffic (that a service can emulate and emit).
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list