On 2016-09-26 08:30, Alex Rousskov wrote:
On 09/26/2016 05:41 AM, James Lay wrote:
So I'm going to try and get some visibility into tls traffic. Not
concerned with the sslbumping of the traffic, but what I DON'T know
what
to do is what to do with the traffic once it's decrypted. This squid
machine runs IDS software as well, so my hope was to have the IDS
software listen to traffic that'd decrypted, but for the life of me
I'm
not sure where to start. Does squid pipe out a stream? Or does the
IDS
listen to a different "interface"? Is this where ICAP comes in?
Squid-IDS integration is mostly independent from SslBump issues -- you
integrate traffic analysis of plain and secure traffic similarly. Your
options depend on IDS interfaces:
1. If IDS is content with passively looking at something Squid can log
(after the transaction is completed), then give IDS the logs (see
access_log and logformat directives). This is what Amos recommended in
his response. It is the best option if your IDS can use it.
2. If IDS is content with reacting to something Squid can log while
processing a message, then write or purchase a custom external ACL
script. External ACL input can be customized just like the access log.
3. If IDS needs access to message bodies, then use an ICAP or eCAP
service to give IDS whole messages. You may have to write or purchase
that service. How that service is going to give messages to IDS depends
on IDS interfaces. Some IDSes have APIs while others listen to raw
traffic (that a service can emulate and emit).
HTH,
Alex.
Ah..there's the rub Alex thanks. I already have rock solid access
controls with squids acl's and great logging. Now I find that I need to
inspect the actual content, i.e. message bodies. So cool..I'm on the
right track for ICAP or eCAP. So, from what I've read, it appears that
squid sends the data to a listening ICAP/eCAP service, which in turn the
IDS can access, depending on the IDS...is that about right?
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users