Snort mailing list archives
Snort, Squid, and TLS Interception
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 28 Sep 2016 08:36:07 -0600
Hey All! Topic says it...I've been on the Squid list to see about getting this setup. I've had a rockin Snort in place, and a working Squid in place for some time. Currently doing a peek/splice, so just seeing where it's going, but not actual content inspection (heh....kids these days 8-|). Now I need to do actual content inspection, which should be pretty easy baring cert pinning. The piece I'm missing is how to get Squid's decrypted content to Snort. The Squid mailing list says "it depends on how your IDS does this", which I respond with a confident "I haven't a frickin clue". So how WOULD this work? I've read about ICAP and eCAP, but how can I get Snort to "listen" or get sent the decrypted session data? Danke :) James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort, Squid, and TLS Interception James Lay (Sep 28)
- Re: Snort, Squid, and TLS Interception Jason Haar (Sep 29)
- Re: Snort, Squid, and TLS Interception James Lay (Sep 30)
- Re: Snort, Squid, and TLS Interception Jason Haar (Sep 29)