[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-devel
Subject: Re: [Oisf-devel] http evasion research
From: Victor Julien <victor () inliniac ! net>
Date: 2013-06-14 12:47:35
Message-ID: 51BB10E7.5080809 () inliniac ! net
[Download RAW message or body]
On 06/14/2013 02:34 PM, Ivan Ristic wrote:
> On Thu, Jun 13, 2013 at 4:00 PM, Peter Manev <petermanev@gmail.com> wrote:
>>
>>
>> On Thu, Jun 13, 2013 at 4:34 PM, Ivan Ristic <ivan.ristic@gmail.com> wrote:
>>>> ...
>>>>
>>>> BTW - What do you think for "per browser inspection", like we do now
>>>> on a per "OS type" stream reassembly. I am guessing it would be
>>>> really cool but almost impossible to implement?
>>>
>>> It would certainly be cool. I don't see anything complicated in the
>>> implementation, although there's non-trivial work involved to refactor
>>> LibHTP to enable it to "fork" a stream whenever more than one decision
>>> is possible.
>>>
>>> And, of course, the inspection cost would rise. On the positive side,
>>> the costs would apply only to malformed traffic, which is presumably
>>> rare in real life, and occurs only when attacks take place.
>>>
>>>
>>
>> Ok, sounds very good. How much work would be needed actually? I mean there
>> are 5 major browsers, then I guess we have to keep up with their updates and
>> the way they handle things?
>
> That, and then work out a way to handle all the situations in the
> code. It's likely to be a lot of work overall when the test cases and
> the research is taken into account. And it's entirely open-ended.
>
> We should first explore what we can do without multiple interpretations.
Yeah, I'm not in favor of multiple parallel interpretations. There are
too many possible branches in such an approach.
It may be good enough to trust the user agent value. It can be spoofed,
but then conflicting behavior could lead to warnings/errors.
Anyhow, stuff to worry about later.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic