[Zeek] monitoring proxied web traffic
Konrad Weglowski
konrad.weglowski at gmail.com
Thu Nov 7 10:07:29 PST 2019
Thank you Mark
Proxy itself is doing content inspection/etc so I won't be able to capture
it that way.
On Thu, Nov 7, 2019 at 7:23 AM Fernandez, Mark I <mfernandez at mitre.org>
wrote:
> Konrad,
>
> Does your proxy also communicate with a content-inspection device, like
> for
> anti-virus inspection of web content? If so, there may be a way to
> correlate.
> The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
> encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
> inspection. I wrote a protocol analyzer for ICAP. This protocol is very
> similar in syntax to HTTP, and it contains header fields (supported by
> most
> web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond
> to
> the original IP addresses of the local web client and the remote web
> server,
> respectively. Please see my presentation from BroCon 2016, perhaps it
> applies:
>
> https://www.zeek.org/community/brocon2016.html
>
> Mark
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191107/d47df169/attachment.html
More information about the Zeek
mailing list