How to detect transparent proxy by BRO IDS (2.4.1)

Our network administrator is using proxy in transparent mode (SQUID). In this mode , there is no need for user to configure proxy option on his computer. I have captured few hours traffic via tcpdump and when I run bro, to know about http trafffic and defferent apps used (like google, youtube etc.). I am amazed to know that there is even not http.log and app_stats.log files generated. Is it some problem in bro configuration. I have searched from its manual, infomation given about proxy could not solve my problem. I have checked load_scripts.log. I shows that http analyzer is loaded.
Can you please guide me about this issue ?


Hafiz Muhammad Shafiq

Hi Hafiz,

there is no reason why Bro should not log HTTP sessions when there is a
transparent proxy (which, as the name suggest, should also be transparent
to Bro). Hence I assume there is something different going on.

Do your conn.log entries look like Bro sees entire TCP sessions?


FWIW I do this at home with squid. If you have bro listening on the external and internal as I do you'll see something like this on the external:

2016-10-25T13:19:54-0600 CSBm181DwlSMeM1Jkl ext.ip.address 35292 80 1 GET /image/bfe99c49e55b1b0881da51b6820051673071c34e - Spotify/6.3.0 Android/22 (LG-ls990) 0 94040 200 OK - - - (empty) - - VIA -> 1.1 gateway (squid/3.5.22),X-FORWARDED-FOR -> - - F898pvpKI8FAldYVb image/jpeg -

If you're only listening internal, you may not have any evidence to show proxied information:

2016-10-25T13:19:54-0600 CKUVZB4Buv5shQEfre 45741 80 1 GET /image/bfe99c49e55b1b0881da51b6820051673071c34e - Spotify/6.3.0 Android/22 (LG-ls990) 0 94040 200 OK - - - (empty) - - - -- FIcIh42olruCzFTJgl image/jpeg -

Hope that helps.