[Zeek] monitoring proxied web traffic
Konrad Weglowski
konrad.weglowski at gmail.com
Wed Nov 6 13:14:39 PST 2019
Hello,
I need to monitor web traffic with Zeek that is going through an implicit
web proxy. I would like to be able to see real client IPs in which case tap
would be placed before the proxy, however I will not be able to see the
real destination IP as it will always be proxy IP. I can also tap on the
other side of the proxy where source will always be proxy IP at the same
time.
Is there a way with Zeek to correlate the two sessions (before and after
proxy) somehow?
I realize that UID or Community ID are probably not going do it since
different source/destinations pairs for each for each session, but maybe
based on the timestamp/URI/SNI/byte or packet counts/etc?
I was also thinking "X-Forwarded-For" header but I guess that would only
work for HTTP and not HTTPS connections.
Thank You,
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191106/538eff1f/attachment.html
More information about the Zeek
mailing list