Re: [squid-users] Clarification on icap
On 2016-09-26 10:40, Alex Rousskov wrote: On 09/26/2016 08:55 AM, James Lay wrote: any recommended open source ICAP/eCAP services that squid works well with? You do not need an ICAP/eCAP service that Squid works well with. You need an ICAP/eCAP service that integrates with your IDS. All production ICAP/eCAP services are doing some specific adaptation (e.g., downgrade image quality) or integrate with some specific adaptation library (e.g., ClamAV). They are useless to you unless they integrate with your IDS. If there is no existing service that integrates with your IDS, you would have to write and support one. If you go the ICAP route, many plug their custom ICAP services into the free c-icap ICAP server. If you decide going the eCAP route, then you do not need a server (eCAP is a library/API, not a communication protocol, so your custom code plugs directly into the host application such as Squid). http://wiki.squid-cache.org/SquidFaq/ContentAdaptation Alex. Excellent...thanks so much Alex! James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Clarification on icap
On 09/26/2016 08:55 AM, James Lay wrote: > any recommended open source ICAP/eCAP services that squid works well with? You do not need an ICAP/eCAP service that Squid works well with. You need an ICAP/eCAP service that integrates with your IDS. All production ICAP/eCAP services are doing some specific adaptation (e.g., downgrade image quality) or integrate with some specific adaptation library (e.g., ClamAV). They are useless to you unless they integrate with your IDS. If there is no existing service that integrates with your IDS, you would have to write and support one. If you go the ICAP route, many plug their custom ICAP services into the free c-icap ICAP server. If you decide going the eCAP route, then you do not need a server (eCAP is a library/API, not a communication protocol, so your custom code plugs directly into the host application such as Squid). http://wiki.squid-cache.org/SquidFaq/ContentAdaptation Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Clarification on icap
On 2016-09-26 06:50, Amos Jeffries wrote: On 27/09/2016 12:41 a.m., James Lay wrote: Hey all, So I'm going to try and get some visibility into tls traffic. Not concerned with the sslbumping of the traffic, but what I DON'T know what to do is what to do with the traffic once it's decrypted. This squid machine runs IDS software as well, so my hope was to have the IDS software listen to traffic that'd decrypted, but for the life of me I'm not sure where to start. Does squid pipe out a stream? Or does the IDS listen to a different "interface"? Is this where ICAP comes in? Keeping it secure is of high importance. So ensuring that any connections it goes over are securely encrypted somehow is important. The best way to ensure data security is not to transmit it. What data does the IDS actually need? and can you 'log' only those details to a private pipe/socket the IDS is reading? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Ah Amos...always vigilant...thank you. Yea those are the questions I'm asking really...how can squid "present" the unencrypted data? Pipe to a socket? Log to a file? Dump to a pcap? As soon as I know the options of how squid can manipulate a session during bumping/decrypting, I'll be able to see if snort/suricata can "listen" to the data. Does that make sense? Thanks as always Amos. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Clarification on icap
On 27/09/2016 12:41 a.m., James Lay wrote: > Hey all, > > So I'm going to try and get some visibility into tls traffic. Not > concerned with the sslbumping of the traffic, but what I DON'T know > what to do is what to do with the traffic once it's decrypted. This > squid machine runs IDS software as well, so my hope was to have the IDS > software listen to traffic that'd decrypted, but for the life of me I'm > not sure where to start. Does squid pipe out a stream? Or does the > IDS listen to a different "interface"? Is this where ICAP comes in? Keeping it secure is of high importance. So ensuring that any connections it goes over are securely encrypted somehow is important. The best way to ensure data security is not to transmit it. What data does the IDS actually need? and can you 'log' only those details to a private pipe/socket the IDS is reading? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Clarification on icap
Hey all, So I'm going to try and get some visibility into tls traffic. Not concerned with the sslbumping of the traffic, but what I DON'T know what to do is what to do with the traffic once it's decrypted. This squid machine runs IDS software as well, so my hope was to have the IDS software listen to traffic that'd decrypted, but for the life of me I'm not sure where to start. Does squid pipe out a stream? Or does the IDS listen to a different "interface"? Is this where ICAP comes in? Thanks for any assistance...just starting out so thought this would be the best place to start. James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users