[Oisf-devel] http evasion research
Peter Manev
petermanev at gmail.com
Thu Jun 13 15:00:42 UTC 2013
On Thu, Jun 13, 2013 at 4:34 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>> ...
>>
>> BTW - What do you think for "per browser inspection", like we do now
>> on a per "OS type" stream reassembly. I am guessing it would be
>> really cool but almost impossible to implement?
>
> It would certainly be cool. I don't see anything complicated in the
> implementation, although there's non-trivial work involved to refactor
> LibHTP to enable it to "fork" a stream whenever more than one decision
> is possible.
>
> And, of course, the inspection cost would rise. On the positive side,
> the costs would apply only to malformed traffic, which is presumably
> rare in real life, and occurs only when attacks take place.
>
>
Ok, sounds very good. How much work would be needed actually? I mean there
are 5 major browsers, then I guess we have to keep up with their updates
and the way they handle things?
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130613/9aef5f96/attachment-0002.html>
More information about the Oisf-devel
mailing list