Interesting thread so far. Has anyone thought of using Bro-IDS as a feedback loop for some of this advanced logic for bypassing bumping? Bro performs passive reconnaissance, generates very useful logs for any payloads it can decode, and is extendable. e.g. ssl.log may contain something like this for a mail.google connection (it's usually TSV, I've added headers for readability) ts 1420695401.142980 uid CPy8RndJtKO7AWuba id.orig_h 10.0.3.54 id.orig_p 49471 id.resp_h 216.58.220.101 id.resp_p 443 version TLSv10 cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA server_name mail.google.com session_id b9be0d07db3c10511d673d8537c7809eddbee60a6601a7a23f67d97ab23fc6e8 subject CN=mail.google.com,O=Google Inc,L=Mountain View,ST=California,C=US issuer_subject CN=Google Internet Authority G2,O=Google Inc,C=US not_valid_before 1418172300.000000 not_valid_after 1425907800.000000 last_alert - client_subject - client_issuer_subject - cert_hash 7081464425ab98aef8f5818ebd40fec9 validation_status ok I like the active external acl solution since it meets a need, but there is overhead. I'm not quite sure what Bro logs for non-HTTPS 443 traffic, but I thought I'd chime in with the above idea if anyone wants to expand on it further :) Regards, Chris _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
