[Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes

Vern Paxson (JIRA) jira at bro-tracker.atlassian.net
Wed Jul 8 10:42:00 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21200#comment-21200 ] 

Vern Paxson commented on BIT-1431:
----------------------------------

This can break in a nasty way.  The original reason for making the casing uniform was (1) semantically, it shouldn't matter, but (2) without doing so, it's easy to have analysis holes like *if ( domain == "badguy.com" ) ... * then an attacker can just send "badGuy.com" and the test will fail.  The same holds for grep'ing through log files and missing stuff just due to casing mismatches.

What's the scenario where you're concerned about the lost casing information?

If it's compelling, then I'd want to consider an interface that provides both the "name" (which in fact is downcased) and the "raw_name" (say) which has the original casing.

> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>
>                 Key: BIT-1431
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1431
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.5
>            Reporter: Seth Hall
>
> Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases.
> The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased).  The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all).



--
This message was sent by Atlassian JIRA
(v6.5-OD-08-001#65007)

More information about the bro-dev mailing list