[Zeek] monitoring proxied web traffic

Fernandez, Mark I mfernandez at mitre.org
Thu Nov 7 04:22:25 PST 2019


Konrad,

Does your proxy also communicate with a content-inspection device, like for 
anti-virus inspection of web content?  If so, there may be a way to correlate. 
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to 
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for 
inspection.  I wrote a protocol analyzer for ICAP.  This protocol is very 
similar in syntax to HTTP, and it contains header fields (supported by most 
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to 
the original IP addresses of the local web client and the remote web server, 
respectively.  Please see my presentation from BroCon 2016, perhaps it 
applies:

https://www.zeek.org/community/brocon2016.html

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5100 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191107/3d12d0db/attachment-0001.bin 


More information about the Zeek mailing list