Snort, Squid, and TLS Interception

[James Lay <jlay () slave-tothe-box net>]

Hey All!

Topic says it...I've been on the Squid list to see about getting this 
setup.  I've had a rockin Snort in place, and a working Squid in place 
for some time.  Currently doing a peek/splice, so just seeing where it's 
going, but not actual content inspection (heh....kids these days 8-|).  
Now I need to do actual content inspection, which should be pretty easy 
baring cert pinning.

The piece I'm missing is how to get Squid's decrypted content to Snort.  
The Squid mailing list says "it depends on how your IDS does this", 
which I respond with a confident "I haven't a frickin clue".  So how 
WOULD this work?  I've read about ICAP and eCAP, but how can I get Snort 
to "listen" or get sent the decrypted session data?

Danke :)

James

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!