git.ipfire.org Git - thirdparty/squid.git/commit

author	Christos Tsantilas <christos@chtsanti.net>
	Tue, 10 Jul 2018 09:07:16 +0000 (09:07 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Tue, 10 Jul 2018 09:07:21 +0000 (09:07 +0000)
commit	6131103bf436c51e8ef14c57db21a31398b8999f
tree	45cf1af8b30eda26614657639840f457beac7992	tree \| snapshot
parent	e69ca1f15c244a68e6d58e86abbbe77bf578d2b0	commit \| diff

The %>handshake logformat code (#243)

Logging client "handshake" bytes is useful in at least two contexts:

* Runtime traffic bypass and bumping/splicing decisions. Identifying
  popular clients like Skype for Business (that uses a TLS handshake but
  then may not speak TLS) is critical for handling their traffic
  correctly. Squid does not have enough ACLs to interrogate most TLS
  handshake aspects. Adding more ACLs may still be a good idea, but
  initial sketches for SfB handshakes showed rather complex
  ACLs/configurations, _and_ no reasonable ACLs would be able to handle
  non-TLS handshakes. An external ACL receiving the handshake is in a
  much better position to analyze/fingerprint it according to custom
  admin needs.

* A logged handshake can be used to analyze new/unusual traffic or even
  trigger security-related alarms.

The current support is limited to cases where Squid was saving handshake
for other reasons. With enough demand, this initial support can be
extended to all protocols and port configurations.

This is a Measurement Factory project.

src/cf.data.pre		diff \| blob \| blame \| history
src/format/ByteCode.h		diff \| blob \| blame \| history
src/format/Format.cc		diff \| blob \| blame \| history
src/format/Token.cc		diff \| blob \| blame \| history