On 2016-09-26 06:50, Amos Jeffries wrote:
On 27/09/2016 12:41 a.m., James Lay wrote:
Hey all,
So I'm going to try and get some visibility into tls traffic. Not
concerned with the sslbumping of the traffic, but what I DON'T know
what to do is what to do with the traffic once it's decrypted. This
squid machine runs IDS software as well, so my hope was to have the
IDS
software listen to traffic that'd decrypted, but for the life of me
I'm
not sure where to start. Does squid pipe out a stream? Or does the
IDS listen to a different "interface"? Is this where ICAP comes in?
Keeping it secure is of high importance. So ensuring that any
connections it goes over are securely encrypted somehow is important.
The best way to ensure data security is not to transmit it. What data
does the IDS actually need? and can you 'log' only those details to a
private pipe/socket the IDS is reading?
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Ah Amos...always vigilant...thank you. Yea those are the questions I'm
asking really...how can squid "present" the unencrypted data? Pipe to a
socket? Log to a file? Dump to a pcap? As soon as I know the options
of how squid can manipulate a session during bumping/decrypting, I'll be
able to see if snort/suricata can "listen" to the data. Does that make
sense? Thanks as always Amos.
James
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
