So I’m currently using Squid to proxy with ACL’s and it’s worked fine so far. I’d like to try mitmproxy, however after looking through the forums I see two questions that didn’t really appear to get answered, so I’ll ask again here in this post.
Can you BLOCK (not view filter, or passthrough) but legit BLOCK access to an http/https site with mitmproxy?
Can you stream decrypted traffic to somewhere else (say Snort or Suricata for IDS functionality)?
Can you dump and search decrypted traffic? Not replay, but dump to a file and grep/sed/awk for strings?
Yes. Either interactively by intercepting requests and then killing them, or automatically in a custom script.
Which format would snort and suricata expect? You can write your own stuff with the scripting interface, but we don’t support it out of the box.
Sure. I would always loading saved flows into mitmproxy and search there, but you can also make sure that all flows are stored without HTTP gzip/deflate/brotli compression and then grep the dumpfile if you find that more convenient.
Other than that, please be aware that mitmproxy is probably the wrong tool if you want large-scale capture and decryption.
Thank you…that helps. I’m sure I’ll be back with more questions. Do you have examples of the custom script for blocking, and for dumping HTTP flows? And yes…this setup is just for home use…nothing big, just a couple people using. Thanks again!
We have a ton of script examples here: https://github.com/mitmproxy/mitmproxy/tree/master/examples. You can kill flows by calling flow.kill(). For dumping, you can basically roll whatever you thing is appropriate. The har dumper script is a more complex example of what you can do.
