Content & Malware Analysis

 View Only
Expand all | Collapse all

Would the CAS scan the content of a http request although the ICAP method is RESPMOD?

  • 1.  Would the CAS scan the content of a http request although the ICAP method is RESPMOD?

    Posted Sep 25, 2019 02:55 AM

    Hi;

     

    Would the CAS scan the content of a http "POST" request although the ICAP method in the ICAP request is RESPMOD? In this case the ICAP client is not the Proxy SG but another application server capable of sending ICAP requests. Apparently this works. However, thought I would double check.

     

    Kindly

    Wasfi



  • 2.  RE: Would the CAS scan the content of a http request although the ICAP method is RESPMOD?

    Posted Sep 27, 2019 05:31 AM

    Good question - here is what I think (without knowing what application server you are using or having seen any pcaps):

    It depends on how it is implemented on your application server, but yes, it's possible.

    According to the RFC 3507 in RESPMOD the ICAP Client should send the original request from the HTTP client along with the response from the HTTP server "if available".

    The ICAP server (CAS) scans whatever it receives, and yes, in RESPMOD it could be both - HTTP Request and Response data.

    And if it works for you - that's all that matters :)

     

    The big question is not WHAT is scannend but WHEN it is scannend.

    In case of a HTTP conversation REQMOD is designed to scan the a HTTP Request BEFORE it is let out to the server. If something is wrong the request can be stopped or modified.
    RESPMOD however - while still being able to scan the HTTP Request - will take place after the HTTP response comes back from the HTTP server.

     

    BR!

    Gunnar