[Zeek] monitoring proxied web traffic
Carlos Lopez
clopmz at outlook.com
Thu Nov 7 06:26:33 PST 2019
Mark,
From where can we download the source code (ICAP analyzer)?
Regards,
C. L. Martinez
________________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Fernandez, Mark I <mfernandez at mitre.org>
Sent: 07 November 2019 13:22
To: Konrad Weglowski; zeek
Subject: Re: [Zeek] monitoring proxied web traffic
Konrad,
Does your proxy also communicate with a content-inspection device, like for
anti-virus inspection of web content? If so, there may be a way to correlate.
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
inspection. I wrote a protocol analyzer for ICAP. This protocol is very
similar in syntax to HTTP, and it contains header fields (supported by most
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to
the original IP addresses of the local web client and the remote web server,
respectively. Please see my presentation from BroCon 2016, perhaps it
applies:
https://www.zeek.org/community/brocon2016.html
Mark
More information about the Zeek
mailing list