[Oisf-devel] http evasion research

Victor Julien victor at inliniac.net
Fri Jun 14 12:47:35 UTC 2013


On 06/14/2013 02:34 PM, Ivan Ristic wrote:
> On Thu, Jun 13, 2013 at 4:00 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>>
>> On Thu, Jun 13, 2013 at 4:34 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>>>> ...
>>>>
>>>> BTW - What do you think for "per browser inspection", like we do now
>>>> on  a per "OS type" stream reassembly. I am guessing it would be
>>>> really cool but almost impossible to implement?
>>>
>>> It would certainly be cool. I don't see anything complicated in the
>>> implementation, although there's non-trivial work involved to refactor
>>> LibHTP to enable it to "fork" a stream whenever more than one decision
>>> is possible.
>>>
>>> And, of course, the inspection cost would rise. On the positive side,
>>> the costs would apply only to malformed traffic, which is presumably
>>> rare in real life, and occurs only when attacks take place.
>>>
>>>
>>
>> Ok, sounds very good. How much work would be needed actually? I mean there
>> are 5 major browsers, then I guess we have to keep up with their updates and
>> the way they handle things?
> 
> That, and then work out a way to handle all the situations in the
> code. It's likely to be a lot of work overall when the test cases and
> the research is taken into account. And it's entirely open-ended.
> 
> We should first explore what we can do without multiple interpretations.

Yeah, I'm not in favor of multiple parallel interpretations. There are
too many possible branches in such an approach.

It may be good enough to trust the user agent value. It can be spoofed,
but then conflicting behavior could lead to warnings/errors.

Anyhow, stuff to worry about later.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list