[Zeek] ICAP Protocol Analyzer, by MITRE
Amber Graner
akgraner at corelight.com
Fri Feb 21 05:53:33 PST 2020
Thanks, Mark!!
~Amber
On Fri, Feb 21, 2020 at 5:52 AM Fernandez, Mark I <mfernandez at mitre.org>
wrote:
> All,
>
>
>
> MITRE developed a Bro/Zeek analyzer plugin for the Internet Content
> Adaptation Protocol (ICAP), per RFC 3507. It provides a novel means by
> which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in
> plain-text, via a web proxy (for more information, see the background
> section at the bottom of this email). The ICAP analyzer code is publicly
> released as open source, under MITRE case number 16-3871.
>
>
>
> Download. The ICAP analyzer is available for download via the Zeek
> package manager (pending) and at the following URL:
>
> * https://github.com/mitre/icap
>
>
>
> Caveats.
>
> * The ICAP analyzer was originally developed for Bro v2.4.x and
> v2.5.x.
> * The plugin seems to build correctly on Bro v2.6.x and Zeek v3.0.x.
> * The ICAP dynamic protocol detection signature (dpd.sig) file is
> available as part of the plugin, but disabled by default. The analyzer
> registers via port 1344/tcp, so it should not require dpd.sig.
> * The ICAP analyzer still uses the .bro file extension for the
> scripts, so you may see some deprecation warnings, but it should run as
> expected. We'll make the ICAP analyzer fully compliant with Zeek 3.0 soon.
> * I do not have any ICAP data or packet capture files to share. If
> anyone has ICAP data they can share, please let me know. It would be great
> to add the btest feature to the plugin package.
>
>
>
> Please let me know if you encounter any errors.
>
>
>
> Mark I. Fernandez
>
> The MITRE Corporation
>
> mfernandez at mitre.org
>
>
>
>
>
> Background:
>
> MITRE presented the ICAP analyzer at BroCon 2016. You can find links to
> the conference abstract, slides, and video at
> https://www.zeek.org/community/brocon2016.html.
>
>
>
> The BroCon 2016 abstract is included below for your convenience...
>
>
>
> This presentation describes the Internet Content Adaptation Protocol
> (ICAP) analyzer for the Bro Network Security Monitor tool as a novel means
> by which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in
> plain-text. It contains an overview of the ICAP specification, an overview
> of the Bro ICAP analyzer and how it interfaces with the HTTP analyzer and
> other Bro analyzers.
>
>
>
> ICAP is defined by Internet Engineering Task Force (IETF) Request for
> Comments (RFC) 3507. It is commonly implemented by web proxy devices to
> modify content of HTTP messages based on anti-virus (AV), data loss
> prevention (DLP), or other content inspection services. Either the web
> client's original HTTP request and/or a web server's original HTTP response
> are encapsulated within the ICAP payload that is sent from the web proxy to
> the AV/DLP proxy. The AV/DLP proxy inspects the ICAP payload to determine
> whether or not the content should be modified, according to security
> policy. For example, if the web page originating from an external HTTP
> server contains malicious content that triggers an AV signature, then the
> AV proxy would modify or replace the content with an error or notification
> message.
>
>
>
> The objectives of the Bro ICAP analyzer are (a) to monitor the link
> between the web proxy and AV/DLP proxy; (b) to extract the original HTTP
> message from the ICAP payload; and (c) to invoke the Bro HTTP analyzer,
> fully utilizing Bro's built-in analysis capabilities for HTTP inspection,
> file extraction, etc.
>
>
>
> While this may appear to be a convoluted method to monitor HTTP traffic,
> the true benefit of the Bro ICAP analyzer is achieved if the web proxy is
> capable of intercepting encrypted HTTPS traffic. In such a case, the ICAP
> payload would contain a decrypted copy of the HTTPS message because the
> AV/DLP proxy would require the content to be plain text in order to inspect
> it appropriately. The Bro ICAP analyzer takes advantage of this. By
> extracting the decrypted copy of the HTTPS message from the ICAP payload
> and injecting it into the Bro HTTP analyzer, the Bro ICAP analyzer provides
> a novel means by which to inspect encrypted web traffic in plain-text.
>
>
>
> ICAP Abstract for BroCon 2016. Approved for public release. Distribution
> unlimited. Case number 16-2621.
>
> (c) 2016 The MITRE Corporation. All rights reserved.
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
Schedule time on my calendar here. <https://calendly.com/amber_graner>
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200221/b8e9bc9a/attachment-0001.html
More information about the Zeek
mailing list