[Oisf-devel] http evasion research

Ivan Ristic ivan.ristic at gmail.com
Thu Jun 13 14:34:14 UTC 2013


> ...
>
> BTW - What do you think for "per browser inspection", like we do now
> on  a per "OS type" stream reassembly. I am guessing it would be
> really cool but almost impossible to implement?

It would certainly be cool. I don't see anything complicated in the
implementation, although there's non-trivial work involved to refactor
LibHTP to enable it to "fork" a stream whenever more than one decision
is possible.

And, of course, the inspection cost would rise. On the positive side,
the costs would apply only to malformed traffic, which is presumably
rare in real life, and occurs only when attacks take place.


>> The possibilities are as follows:
>> 1. Raise flags as appropriate
>> 2. Force dechunking
>> 3. Process the same stream twice, with and without chunking
>>
>> #1 is clearly easy and I suspect #2 would be fine, but more research
>> is needed. Perhaps this is something that we can work on for LibHTP
>> 0.6.x.
>>
>>
>
>
>
> --
> Regards,
> Peter Manev



-- 
Ivan Ristić



More information about the Oisf-devel mailing list