Snort mailing list archives
Re: Snort, Squid, and TLS Interception
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 30 Sep 2016 05:51:09 -0600
On Fri, 2016-09-30 at 12:34 +1300, Jason Haar wrote:
On Thu, Sep 29, 2016 at 3:36 AM, James Lay <jlay () slave-tothe-box net> wrote:The piece I'm missing is how to get Squid's decrypted content to Snort. The Squid mailing list says "it depends on how your IDS does this", which I respond with a confident "I haven't a frickin clue". So how WOULD this work? I've read about ICAP and eCAP, but how can I get Snort to "listen" or get sent the decrypted session data?ICAP is a TCP protocol, so squid opens a TCP connection and sends ICAP commands and gets ICAP responses. So if you were to install snort on the proxy, and get it to monitoring the "lo" interface, then snort could see the ICAP content... However, does snort support ICAP? It's not HTTP - although it's very similar... It needs to have native support because the real destination hostname and the real client IP address are expressed through ICAP headers - not at the TCP layer Alternatively, you could write your own ICAP server that takes ICAP queries and spews out fake HTTP requests towards some blackhole - and snort could monitor that instead. Good luck with that ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------- ----------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Thanks Jason.....that does help. James
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort, Squid, and TLS Interception James Lay (Sep 28)
- Re: Snort, Squid, and TLS Interception Jason Haar (Sep 29)
- Re: Snort, Squid, and TLS Interception James Lay (Sep 30)
- Re: Snort, Squid, and TLS Interception Jason Haar (Sep 29)