+1 The main issue is websockets. Since Squid doesn't have websockets related code implemented in a public code the Squid instance would break more then one connection. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex Rousskov Sent: Tuesday, March 12, 2019 01:54 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: How to extract decrypted traffic for further analysis using Snort? On 3/11/19 1:53 PM, Felipe Arturo Polanco wrote: > I'm trying to find a way to get the HTTP traffic analysed after being > decrypted, by using Snort. > > Does someone know how to do this? I can redirect IP traffic with regular > HTTP into Snort but I haven't found a way inside squid to do the same. I believe a similar question has been answered a few years ago, and that answer is still valid. I will quote that exchange below for your convenience, but the source is at http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html Item 3 includes an ICAP option that Antony suggested on this thread, and I know there are eCAP adapters that implement raw HTTP traffic emulation mentioned there. Alex. On 09/26/2016, Alex Rousskov wrote: > On 09/26/2016 05:41 AM, James Lay wrote: >> So I'm going to try and get some visibility into tls traffic. Not >> concerned with the sslbumping of the traffic, but what I DON'T know what >> to do is what to do with the traffic once it's decrypted. This squid >> machine runs IDS software as well, so my hope was to have the IDS >> software listen to traffic that'd decrypted, but for the life of me I'm >> not sure where to start. Does squid pipe out a stream? Or does the IDS >> listen to a different "interface"? Is this where ICAP comes in? > Squid-IDS integration is mostly independent from SslBump issues -- you > integrate traffic analysis of plain and secure traffic similarly. Your > options depend on IDS interfaces: > > 1. If IDS is content with passively looking at something Squid can log > (after the transaction is completed), then give IDS the logs (see > access_log and logformat directives). This is what Amos recommended in > his response. It is the best option if your IDS can use it. > > 2. If IDS is content with reacting to something Squid can log while > processing a message, then write or purchase a custom external ACL > script. External ACL input can be customized just like the access log. > > 3. If IDS needs access to message bodies, then use an ICAP or eCAP > service to give IDS whole messages. You may have to write or purchase > that service. How that service is going to give messages to IDS depends > on IDS interfaces. Some IDSes have APIs while others listen to raw > traffic (that a service can emulate and emit). _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
