[Zeek] monitoring proxied web traffic
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Nov 6 15:58:58 PST 2019
There is no way for Zeek to really correlate if the proxy does everything
at the application level, like Squid. The proxy
terminates the connection and then it's free to start the second leg, to
the destination host, as it wishes to.
Is your traffic from clients to proxy encrypted as well?
If the traffic between clients are the proxy is not encrypted (as it's
usually the case) then even if the client will establish a TLS session
_through_ the proxy you will see a destination with the "service" field
http,ssl and all the conn + ssl + http logs.
We have that + proxy logs and that's pretty much a full visibility.
On Wed, Nov 6, 2019 at 1:11 PM Konrad Weglowski <konrad.weglowski at gmail.com>
wrote:
> Hello,
>
> I need to monitor web traffic with Zeek that is going through an implicit
> web proxy. I would like to be able to see real client IPs in which case tap
> would be placed before the proxy, however I will not be able to see the
> real destination IP as it will always be proxy IP. I can also tap on the
> other side of the proxy where source will always be proxy IP at the same
> time.
>
> Is there a way with Zeek to correlate the two sessions (before and after
> proxy) somehow?
>
> I realize that UID or Community ID are probably not going do it since
> different source/destinations pairs for each for each session, but maybe
> based on the timestamp/URI/SNI/byte or packet counts/etc?
>
> I was also thinking "X-Forwarded-For" header but I guess that would only
> work for HTTP and not HTTPS connections.
>
> Thank You,
>
> Konrad
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191106/7545d509/attachment.html
More information about the Zeek
mailing list