Project

General

Profile

Actions
Copy link

Feature #3379

open

Filtering ICAP Protocoll on lo Interface

Added by Schroeffu Schroeffu almost 5 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
medium
Difficulty:
Label:

Description

It would be very nice when Suricata can handle the ICAP protocoll for filtering decrypted SSL Web Traffic.

Proxies - for example Squid - often are doing SSL Inspection through local loopback interface (lo) ICAP Protocol on Port 1344.
I can configure Suricata to listen on "lo" Interface, but Suricata is not alerting the rules on this decrypted Web Traffic which is readable on lo interface also for suricata.

I guess suricata needs an "ICAP Wrapper", so a new feature?

Files

Suricata_monitor_lo_interface_222045.jpg (100 KB) Suricata_monitor_lo_interface_222045.jpg example of the only Suricata alert i get sometimes while monitoring local loopback interface, on that all the decrypted web traffic goes through for virus scanning Schroeffu Schroeffu, 12/04/2019 02:49 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #6101: icap: app-layer protocol supportNewOISF DevActions
Actions
Copy link
 #1

Updated by Schroeffu Schroeffu almost 5 years ago

Attached you'll see an example of the only Suricata alert i get sometimes while monitoring local loopback interface, on that all the decrypted web traffic goes through for virus scanning (custom port 13444 instead of 1344). I should see much more alert hits from suricata, so suricata seems not to understand ICAP yet.

Actions
Copy link
 #2

Updated by Victor Julien over 1 year ago

  • Related to Feature #6101: icap: app-layer protocol support added
Actions
Copy link
 #3

Updated by Philippe Antoine over 1 year ago

  • Assignee set to OISF Dev

Do you have some pcaps that can be shared ?

Actions
Copy link

Also available in: Atom PDF