[Zeek] ICAP Protocol Analyzer, by MITRE

Amber Graner akgraner at corelight.com
Fri Feb 21 05:53:33 PST 2020 

Thanks, Mark!!

~Amber

On Fri, Feb 21, 2020 at 5:52 AM Fernandez, Mark I <mfernandez at mitre.org>
wrote:

> All,
>
>
>
> MITRE developed a Bro/Zeek analyzer plugin for the Internet Content
> Adaptation Protocol (ICAP), per RFC 3507.  It provides a novel means by
> which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in
> plain-text, via a web proxy (for more information, see the background
> section at the bottom of this email). The ICAP analyzer code is publicly
> released as open source, under MITRE case number 16-3871.
>
>
>
> Download.  The ICAP analyzer is available for download via the Zeek
> package manager (pending) and at the following URL:
>
> *       https://github.com/mitre/icap
>
>
>
> Caveats.
>
> *       The ICAP analyzer was originally developed for Bro v2.4.x and
> v2.5.x.
> *       The plugin seems to build correctly on Bro v2.6.x and Zeek v3.0.x.
> *       The ICAP dynamic protocol detection signature (dpd.sig) file is
> available as part of the plugin, but disabled by default.  The analyzer
> registers via port 1344/tcp, so it should not require dpd.sig.
> *       The ICAP analyzer still uses the .bro file extension for the
> scripts, so you may see some deprecation warnings, but it should run as
> expected.  We'll make the ICAP analyzer fully compliant with Zeek 3.0 soon.
> *       I do not have any ICAP data or packet capture files to share.  If
> anyone has ICAP data they can share, please let me know.  It would be great
> to add the btest feature to the plugin package.
>
>
>
> Please let me know if you encounter any errors.
>
>
>
> Mark I. Fernandez
>
> The MITRE Corporation
>
> mfernandez at mitre.org
>
>
>
>
>
> Background:
>
> MITRE presented the ICAP analyzer at BroCon 2016.  You can find links to
> the conference abstract, slides, and video at
> https://www.zeek.org/community/brocon2016.html.
>
>
>
> The BroCon 2016 abstract is included below for your convenience...
>
>
>
> This presentation describes the Internet Content Adaptation Protocol
> (ICAP) analyzer for the Bro Network Security Monitor tool as a novel means
> by which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in
> plain-text.  It contains an overview of the ICAP specification, an overview
> of the Bro ICAP analyzer and how it interfaces with the HTTP analyzer and
> other Bro analyzers.
>
>
>
> ICAP is defined by Internet Engineering Task Force (IETF) Request for
> Comments (RFC) 3507.  It is commonly implemented by web proxy devices to
> modify content of HTTP messages based on anti-virus (AV), data loss
> prevention (DLP), or other content inspection services.  Either the web
> client's original HTTP request and/or a web server's original HTTP response
> are encapsulated within the ICAP payload that is sent from the web proxy to
> the AV/DLP proxy.  The AV/DLP proxy inspects the ICAP payload to determine
> whether or not the content should be modified, according to security
> policy.  For example, if the web page originating from an external HTTP
> server contains malicious content that triggers an AV signature, then the
> AV proxy would modify or replace the content with an error or notification
> message.
>
>
>
> The objectives of the Bro ICAP analyzer are (a) to monitor the link
> between the web proxy and AV/DLP proxy; (b) to extract the original HTTP
> message from the ICAP payload; and (c) to invoke the Bro HTTP analyzer,
> fully utilizing Bro's built-in analysis capabilities for HTTP inspection,
> file extraction, etc.
>
>
>
> While this may appear to be a convoluted method to monitor HTTP traffic,
> the true benefit of the Bro ICAP analyzer is achieved if the web proxy is
> capable of intercepting encrypted HTTPS traffic.  In such a case, the ICAP
> payload would contain a decrypted copy of the HTTPS message because the
> AV/DLP proxy would require the content to be plain text in order to inspect
> it appropriately.  The Bro ICAP analyzer takes advantage of this.   By
> extracting the decrypted copy of the HTTPS message from the ICAP payload
> and injecting it into the Bro HTTP analyzer, the Bro ICAP analyzer provides
> a novel means by which to inspect encrypted web traffic in plain-text.
>
>
>
> ICAP Abstract for BroCon 2016. Approved for public release. Distribution
> unlimited. Case number 16-2621.
>
> (c) 2016 The MITRE Corporation. All rights reserved.
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-- 

*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469

Schedule time on my calendar here. <https://calendly.com/amber_graner>



 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200221/b8e9bc9a/attachment-0001.html

More information about the Zeek mailing list