How to extract decrypted traffic for further analysis using Snort?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to extract decrypted traffic for further analysis using Snort?

Felipe Arturo Polanco
Hi,

I'm trying to find a way to get the HTTP traffic analysed after being decrypted, by using Snort.

Does someone know how to do this? I can redirect IP traffic with regular HTTP into Snort but I haven't found a way inside squid to do the same.

Thanks!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to extract decrypted traffic for further analysis using Snort?

Antony Stone
On Monday 11 March 2019 at 20:53:13, Felipe Arturo Polanco wrote:

> Hi,
>
> I'm trying to find a way to get the HTTP traffic analysed after being
> decrypted, by using Snort.
>
> Does someone know how to do this? I can redirect IP traffic with regular
> HTTP into Snort but I haven't found a way inside squid to do the same.

How about https://wiki.squid-cache.org/Features/ICAP ?


Antony.

--
Please apologise my errors, since I have a very small device.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to extract decrypted traffic for further analysis using Snort?

Alex Rousskov
In reply to this post by Felipe Arturo Polanco
On 3/11/19 1:53 PM, Felipe Arturo Polanco wrote:

> I'm trying to find a way to get the HTTP traffic analysed after being
> decrypted, by using Snort.
>
> Does someone know how to do this? I can redirect IP traffic with regular
> HTTP into Snort but I haven't found a way inside squid to do the same.

I believe a similar question has been answered a few years ago, and that
answer is still valid. I will quote that exchange below for your
convenience, but the source is at
http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html

Item 3 includes an ICAP option that Antony suggested on this thread, and
I know there are eCAP adapters that implement raw HTTP traffic emulation
mentioned there.

Alex.

On 09/26/2016, Alex Rousskov wrote:

> On 09/26/2016 05:41 AM, James Lay wrote:
>> So I'm going to try and get some visibility into tls traffic.  Not
>> concerned with the sslbumping of the traffic, but what I DON'T know what
>> to do is what to do with the traffic once it's decrypted.  This squid
>> machine runs IDS software as well, so my hope was to have the IDS
>> software listen to traffic that'd decrypted, but for the life of me I'm
>> not sure where to start.  Does squid pipe out a stream?  Or does the IDS
>> listen to a different "interface"?  Is this where ICAP comes in?

> Squid-IDS integration is mostly independent from SslBump issues -- you
> integrate traffic analysis of plain and secure traffic similarly. Your
> options depend on IDS interfaces:
>
> 1. If IDS is content with passively looking at something Squid can log
> (after the transaction is completed), then give IDS the logs (see
> access_log and logformat directives). This is what Amos recommended in
> his response. It is the best option if your IDS can use it.
>
> 2. If IDS is content with reacting to something Squid can log while
> processing a message, then write or purchase a custom external ACL
> script. External ACL input can be customized just like the access log.
>
> 3. If IDS needs access to message bodies, then use an ICAP or eCAP
> service to give IDS whole messages. You may have to write or purchase
> that service. How that service is going to give messages to IDS depends
> on IDS interfaces. Some IDSes have APIs while others listen to raw
> traffic (that a service can emulate and emit).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to extract decrypted traffic for further analysis using Snort?

Eliezer Croitoru
+1

The main issue is websockets.
Since Squid doesn't have websockets related code implemented in a public code
the Squid instance would break more then one connection.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Alex Rousskov
Sent: Tuesday, March 12, 2019 01:54
To: [hidden email]
Subject: Re: [squid-users] How to extract decrypted traffic for further analysis using Snort?

On 3/11/19 1:53 PM, Felipe Arturo Polanco wrote:

> I'm trying to find a way to get the HTTP traffic analysed after being
> decrypted, by using Snort.
>
> Does someone know how to do this? I can redirect IP traffic with regular
> HTTP into Snort but I haven't found a way inside squid to do the same.

I believe a similar question has been answered a few years ago, and that
answer is still valid. I will quote that exchange below for your
convenience, but the source is at
http://lists.squid-cache.org/pipermail/squid-users/2016-September/012689.html

Item 3 includes an ICAP option that Antony suggested on this thread, and
I know there are eCAP adapters that implement raw HTTP traffic emulation
mentioned there.

Alex.

On 09/26/2016, Alex Rousskov wrote:

> On 09/26/2016 05:41 AM, James Lay wrote:
>> So I'm going to try and get some visibility into tls traffic.  Not
>> concerned with the sslbumping of the traffic, but what I DON'T know what
>> to do is what to do with the traffic once it's decrypted.  This squid
>> machine runs IDS software as well, so my hope was to have the IDS
>> software listen to traffic that'd decrypted, but for the life of me I'm
>> not sure where to start.  Does squid pipe out a stream?  Or does the IDS
>> listen to a different "interface"?  Is this where ICAP comes in?

> Squid-IDS integration is mostly independent from SslBump issues -- you
> integrate traffic analysis of plain and secure traffic similarly. Your
> options depend on IDS interfaces:
>
> 1. If IDS is content with passively looking at something Squid can log
> (after the transaction is completed), then give IDS the logs (see
> access_log and logformat directives). This is what Amos recommended in
> his response. It is the best option if your IDS can use it.
>
> 2. If IDS is content with reacting to something Squid can log while
> processing a message, then write or purchase a custom external ACL
> script. External ACL input can be customized just like the access log.
>
> 3. If IDS needs access to message bodies, then use an ICAP or eCAP
> service to give IDS whole messages. You may have to write or purchase
> that service. How that service is going to give messages to IDS depends
> on IDS interfaces. Some IDSes have APIs while others listen to raw
> traffic (that a service can emulate and emit).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users