[Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes

Vern Paxson (JIRA) jira at bro-tracker.atlassian.net
Wed Jul 8 10:52:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21202#comment-21202 ] 

Vern Paxson commented on BIT-1431:

Okay, I see the use-case in my email backlog now, base64 exfiltration.  I agree it's a reasonable analysis target; but per the above, I think just getting rid of the downcased version will introduce more trouble than enabling stuff like this offsets.  So that argues for providing both, similar to some of the other interfaces that provide both escaped and unescaped versions.

> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>                 Key: BIT-1431
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1431
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.5
>            Reporter: Seth Hall
> Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases.
> The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased).  The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list