[Zeek] ICAP Protocol Analyzer, by MITRE

Fri Feb 21 05:48:32 PST 2020

All,

MITRE developed a Bro/Zeek analyzer plugin for the Internet Content Adaptation Protocol (ICAP), per RFC 3507.  It provides a novel means by which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in plain-text, via a web proxy (for more information, see the background section at the bottom of this email). The ICAP analyzer code is publicly released as open source, under MITRE case number 16-3871.

Download.  The ICAP analyzer is available for download via the Zeek package manager (pending) and at the following URL:

*	https://github.com/mitre/icap

Caveats.

*	The ICAP analyzer was originally developed for Bro v2.4.x and v2.5.x.
*	The plugin seems to build correctly on Bro v2.6.x and Zeek v3.0.x.
*	The ICAP dynamic protocol detection signature (dpd.sig) file is available as part of the plugin, but disabled by default.  The analyzer registers via port 1344/tcp, so it should not require dpd.sig.
*	The ICAP analyzer still uses the .bro file extension for the scripts, so you may see some deprecation warnings, but it should run as expected.  We'll make the ICAP analyzer fully compliant with Zeek 3.0 soon.
*	I do not have any ICAP data or packet capture files to share.  If anyone has ICAP data they can share, please let me know.  It would be great to add the btest feature to the plugin package.

Please let me know if you encounter any errors.

Mark I. Fernandez

The MITRE Corporation

mfernandez at mitre.org

Background:

MITRE presented the ICAP analyzer at BroCon 2016.  You can find links to the conference abstract, slides, and video at https://www.zeek.org/community/brocon2016.html.

The BroCon 2016 abstract is included below for your convenience...

This presentation describes the Internet Content Adaptation Protocol (ICAP) analyzer for the Bro Network Security Monitor tool as a novel means by which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in plain-text.  It contains an overview of the ICAP specification, an overview of the Bro ICAP analyzer and how it interfaces with the HTTP analyzer and other Bro analyzers.

ICAP is defined by Internet Engineering Task Force (IETF) Request for Comments (RFC) 3507.  It is commonly implemented by web proxy devices to modify content of HTTP messages based on anti-virus (AV), data loss prevention (DLP), or other content inspection services.  Either the web client's original HTTP request and/or a web server's original HTTP response are encapsulated within the ICAP payload that is sent from the web proxy to the AV/DLP proxy.  The AV/DLP proxy inspects the ICAP payload to determine whether or not the content should be modified, according to security policy.  For example, if the web page originating from an external HTTP server contains malicious content that triggers an AV signature, then the AV proxy would modify or replace the content with an error or notification message.

The objectives of the Bro ICAP analyzer are (a) to monitor the link between the web proxy and AV/DLP proxy; (b) to extract the original HTTP message from the ICAP payload; and (c) to invoke the Bro HTTP analyzer, fully utilizing Bro's built-in analysis capabilities for HTTP inspection, file extraction, etc. 

While this may appear to be a convoluted method to monitor HTTP traffic, the true benefit of the Bro ICAP analyzer is achieved if the web proxy is capable of intercepting encrypted HTTPS traffic.  In such a case, the ICAP payload would contain a decrypted copy of the HTTPS message because the AV/DLP proxy would require the content to be plain text in order to inspect it appropriately.  The Bro ICAP analyzer takes advantage of this.   By extracting the decrypted copy of the HTTPS message from the ICAP payload and injecting it into the Bro HTTP analyzer, the Bro ICAP analyzer provides a novel means by which to inspect encrypted web traffic in plain-text.

ICAP Abstract for BroCon 2016. Approved for public release. Distribution unlimited. Case number 16-2621.