On 09/26/2016 05:41 AM, James Lay wrote: > So I'm going to try and get some visibility into tls traffic. Not > concerned with the sslbumping of the traffic, but what I DON'T know what > to do is what to do with the traffic once it's decrypted. This squid > machine runs IDS software as well, so my hope was to have the IDS > software listen to traffic that'd decrypted, but for the life of me I'm > not sure where to start. Does squid pipe out a stream? Or does the IDS > listen to a different "interface"? Is this where ICAP comes in? Squid-IDS integration is mostly independent from SslBump issues -- you integrate traffic analysis of plain and secure traffic similarly. Your options depend on IDS interfaces: 1. If IDS is content with passively looking at something Squid can log (after the transaction is completed), then give IDS the logs (see access_log and logformat directives). This is what Amos recommended in his response. It is the best option if your IDS can use it. 2. If IDS is content with reacting to something Squid can log while processing a message, then write or purchase a custom external ACL script. External ACL input can be customized just like the access log. 3. If IDS needs access to message bodies, then use an ICAP or eCAP service to give IDS whole messages. You may have to write or purchase that service. How that service is going to give messages to IDS depends on IDS interfaces. Some IDSes have APIs while others listen to raw traffic (that a service can emulate and emit). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
