[jira] [Commented] (METRON-984) Create Stellar Decoding Functions

Mon, 05 Jun 2017 13:12:27 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037495#comment-16037495
 ] 

Jon Zeolla commented on METRON-984:
-----------------------------------

Per our discussion, I think we landed on the following two functions (please 
correct me if I'm wrong):

IS_ENCODED(field, encoding_method)
DECODE(field, [encoding_method1,2,...], optional_failure_mode)

optional_failure_mode is an optional field that defaults to something like 
softfail

Example use:

(1) Simply check to see if a field is already encoded, and decode if necessary.
if IS_ENCODED(field,BASE16) DECODE(field, BASE16)

(2) We know bad host x.x.x.x and y.y.y.y encodes via BASE16 or BASE64 when URI 
is /dropthebomb.php, so we want to decode it.
if (ip_src_addr in [ 'x.x.x.x', 'y.y.y.y'] and uri_field == '/dropthebomb.php') 
DECODE(field, [BASE16,BASE64], softfail)

In this scenario, DECODE() would attempt to decode field as BASE16, but if it 
is not encoded as BASE16, it attempts BASE64, and finally soft fails by adding 
a field to the message indicating the failed decode and passing it on (i.e. the 
field contains a character not allowed in BASE64 encoding).  An alternative 
would be hardfail, where it drops the message into the error topology.  

> Create Stellar Decoding Functions
> ---------------------------------
>
>                 Key: METRON-984
>                 URL: https://issues.apache.org/jira/browse/METRON-984
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Jon Zeolla
>            Assignee: Otto Fowler
>
> It is rather commonplace for malicious actors to obfuscate exploits or data 
> transfers using encoding.  In order to identify and prioritize responses to 
> (or automatically mitigate) those attacks during threat triage we should have 
> a method for decoding in Stellar.  Some initial thoughts would be to handle 
> percent/URL encoding, base64, base32, base16/hex, HTML encoding, etc.
> I would expect that something like DECODE(something, encoding_type, 
> optional_failure_mode) would return the contents of field "something" after 
> attempting to decode it via "encoding_type".  If decoding fails, 
> optional_failure_mode would indicate whether or not to fail the message and 
> send it to the error topology, or to simply return the contents of the 
> original field "something" (in this example).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to