On 2016-10-17 15:01, Alex Rousskov wrote:
On 10/17/2016 11:51 AM, James Lay wrote:
Here's what I'm wanting to accomplish and it's been proving a
challenge:
Detect keywords (think DLP maybe) in http/https flows. I've got ecap
and icap compiled in and working. My challenges:
a)with icap, it appears that the filter content adapters only work
with
responses, not requests....I need both.
It depends on the ICAP service. Some work with requests, some with
responses, some with both kinds of messages.
I'm specifically looking at
http://c-icap.sourceforge.net/c-icap-modules.conf-0.4.x.html#tag_srv_content_filtering_MaxBodyData.
This looks like it will do what I need, but as from my previous posts,
it appears it only works with RESPMOD, not requests.
b)with icap, if I use the "echo" adapter I can see everything on the
lo
interface, but decoding it has proven fruitless for me
If you are trying to manually decode ICAP traffic on a loopback
interface, please clarify what you are trying to accomplish with that.
I'm trying to match text in a stream, somehow. Either with the above
icap method, which would appear to be designed for this purpose, but
only responses not request, or by decoding the stream and sending the
decoded traffic to an interface where an IDS can match content. In
short, if someone drops an f-bomb in a chat let's say, I want it known.
c)with ecap, I configured per
http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP,
but I'm confused on the ecap_service line..examples show
"ecap://www.vigos.com/ecap_gzip", but what do I put in?
Just like with ICAP, you configure an eCAP adapter/service that you
want
to use. I do not know whether it exists or needs to be written. For
example, if you want to find viruses, you can use an eCAP ClamAV
adapter.
I thought I
didn't need a service for ecap..do I point this to localhost or
something?
With eCAP, you do not need a server. With both ICAP and eCAP you need a
service or "adapter" that does whatever you want to do. ICAP and eCAP
are just protocols/API -- they cannot do anything useful on their own.
The eCAP service URI is just an identifier. It does not "point" to any
specific location. It is only used to distinguish one loaded eCAP
service from another loaded eCAP service.
Overall, you need some software that will "detect keywords". That
detection is not going to happen magically on its own. ICAP and eCAP
are
just two ways to get the HTTP messages to that software. Some call that
_kind_ of software "ICAP service", "ICAP server plugin", "eCAP
service",
"eCAP adapter", etc. You need to find or write a specific
service/plugin/adapter/etc. that does keyword detection.
Alex.
Thanks Alex....I can't imagine that I'm the only one wanting to do this
purely with open source software, but it appears that way.
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
