[Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Mon Jul 27 07:18:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21409#comment-21409 ] 

Justin Azoff commented on BIT-1431:

Here's another simple use-case (that I remember from an IRC discussion).

Someone runs a http service and is trying to identify certain clients.  A bad actor is spoofing a valid user agent, but a capture shows they are sending "user-Agent:" vs. "User-Agent:" in the http header.  Since bro normalizes the header, it is not possible to identify this client.

> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>                 Key: BIT-1431
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1431
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.5
>            Reporter: Seth Hall
> Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases.
> The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased).  The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list