On 08/01/15 18:41, Chris Bennett wrote: > Interesting thread so far. Has anyone thought of using Bro-IDS as a > feedback loop for some of this advanced logic for bypassing bumping? The external acl method mentioned earlier probably out-does using some NIDS feedback loop. In my testing it causes squid to block that new connection until it returns, and that means your external acl script can simply attempt a SSL transaction against the end-server and in realtime figure out that it's SSL or not. And then cache it, blah, blah blah. The advantage is that it will do a lookup on new HTTPS sessions and potentially have the answer immediately (ie it can bump on first attempt), whereas a NIDS would only find out the answer after squid has defaulted to passthrough/splice mode, so it would only work properly on future connections to that site. > I like the active external acl solution since it meets a need, but > there is overhead. I'm not quite sure what Bro logs for non-HTTPS > 443 traffic, but I thought I'd chime in with the above idea if anyone > wants to expand on it further :) If you think the external acl method is too expensive to run, how do you expect to feed this NIDS data back into squid? I think you'd find you'd need an external acl check to do that bit anyway :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
