[Oisf-devel] http evasion research

Ivan Ristic ivan.ristic at gmail.com
Fri Jun 14 12:34:45 UTC 2013


On Thu, Jun 13, 2013 at 4:00 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>
> On Thu, Jun 13, 2013 at 4:34 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>>> ...
>>>
>>> BTW - What do you think for "per browser inspection", like we do now
>>> on  a per "OS type" stream reassembly. I am guessing it would be
>>> really cool but almost impossible to implement?
>>
>> It would certainly be cool. I don't see anything complicated in the
>> implementation, although there's non-trivial work involved to refactor
>> LibHTP to enable it to "fork" a stream whenever more than one decision
>> is possible.
>>
>> And, of course, the inspection cost would rise. On the positive side,
>> the costs would apply only to malformed traffic, which is presumably
>> rare in real life, and occurs only when attacks take place.
>>
>>
>
> Ok, sounds very good. How much work would be needed actually? I mean there
> are 5 major browsers, then I guess we have to keep up with their updates and
> the way they handle things?

That, and then work out a way to handle all the situations in the
code. It's likely to be a lot of work overall when the test cases and
the research is taken into account. And it's entirely open-ended.

We should first explore what we can do without multiple interpretations.



>
>
>
>
> --
> Regards,
> Peter Manev



-- 
Ivan Ristić



More information about the Oisf-devel mailing list