Re: Snort, Squid, and TLS Interception

[Jason Haar <jason_haar () trimble com>]

On Thu, Sep 29, 2016 at 3:36 AM, James Lay <jlay () slave-tothe-box net> wrote:

> The piece I'm missing is how to get Squid's decrypted content to Snort.
> The Squid mailing list says "it depends on how your IDS does this",
> which I respond with a confident "I haven't a frickin clue".  So how
> WOULD this work?  I've read about ICAP and eCAP, but how can I get Snort
> to "listen" or get sent the decrypted session data?

ICAP is a TCP protocol, so squid opens a TCP connection and sends ICAP
commands and gets ICAP responses. So if you were to install snort on the
proxy, and get it to monitoring the "lo" interface, then snort could see
the ICAP content...

However, does snort support ICAP? It's not HTTP - although it's very
similar... It needs to have native support because the real destination
hostname and the real client IP address are expressed through ICAP headers
- not at the TCP layer

Alternatively, you could write your own ICAP server that takes ICAP queries
and spews out fake HTTP requests towards some blackhole - and snort could
monitor that instead. Good luck with that ;-)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!