[Zeek] monitoring proxied web traffic
Fernandez, Mark I
mfernandez at mitre.org
Thu Nov 7 04:22:25 PST 2019
Konrad,
Does your proxy also communicate with a content-inspection device, like for
anti-virus inspection of web content? If so, there may be a way to correlate.
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
inspection. I wrote a protocol analyzer for ICAP. This protocol is very
similar in syntax to HTTP, and it contains header fields (supported by most
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to
the original IP addresses of the local web client and the remote web server,
respectively. Please see my presentation from BroCon 2016, perhaps it
applies:
https://www.zeek.org/community/brocon2016.html
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5100 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191107/3d12d0db/attachment-0001.bin
More information about the Zeek
mailing list