monitoring proxied web traffic

Fernandez_Mark_I · November 7, 2019, 12:22pm

Konrad,

Does your proxy also communicate with a content-inspection device, like for
anti-virus inspection of web content? If so, there may be a way to correlate.
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
inspection. I wrote a protocol analyzer for ICAP. This protocol is very
similar in syntax to HTTP, and it contains header fields (supported by most
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to
the original IP addresses of the local web client and the remote web server,
respectively. Please see my presentation from BroCon 2016, perhaps it
applies:

https://www.zeek.org/community/brocon2016.html

Mark

clopmz · November 7, 2019, 2:26pm

Mark,

From where can we download the source code (ICAP analyzer)?

Regards,
C. L. Martinez

Konrad_Weglowski1 · November 7, 2019, 6:07pm

Thank you Mark

Proxy itself is doing content inspection/etc so I won’t be able to capture it that way.

Topic		Replies	Views
Sensor placement with presence of web proxies Zeek	3	49	May 6, 2022
monitoring proxied web traffic Zeek	5	131	May 6, 2022
Determining remote proxy servers using Bro. Zeek	3	92	May 6, 2022
Decapsulating "payload" tunnels Development development	6	151	May 6, 2022
Hui Lin_Some question on Binpac Development development	5	66	May 6, 2022

monitoring proxied web traffic

Related Topics