[
https://issues.apache.org/jira/browse/METRON-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037230#comment-16037230
]
Jon Zeolla commented on METRON-984:
-----------------------------------
RE: the per-decoding function, that's fine. I was thinking that it would just
be easier to make a single function with multiple options for readability (or
if you wanted to make the decode method param optional and by default just
cycle through common methods in the future).
I think it would be more useful to replace the encoded data with the decoded
data, to make threat triage and modeling more simple in the future. Obviously
the encoded data would still be retained in the orig data field, if necessary.
Thoughts?
> Create Stellar Decoding Functions
> ---------------------------------
>
> Key: METRON-984
> URL: https://issues.apache.org/jira/browse/METRON-984
> Project: Metron
> Issue Type: Improvement
> Reporter: Jon Zeolla
> Assignee: Otto Fowler
>
> It is rather commonplace for malicious actors to obfuscate exploits or data
> transfers using encoding. In order to identify and prioritize responses to
> (or automatically mitigate) those attacks during threat triage we should have
> a method for decoding in Stellar. Some initial thoughts would be to handle
> percent/URL encoding, base64, base32, base16/hex, HTML encoding, etc.
> I would expect that something like DECODE(something, encoding_type,
> optional_failure_mode) would return the contents of field "something" after
> attempting to decode it via "encoding_type". If decoding fails,
> optional_failure_mode would indicate whether or not to fail the message and
> send it to the error topology, or to simply return the contents of the
> original field "something" (in this example).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
