[
https://issues.apache.org/jira/browse/METRON-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037495#comment-16037495
]
Jon Zeolla edited comment on METRON-984 at 6/5/17 8:12 PM:
-----------------------------------------------------------
Per our discussion, I think we landed on the following two functions (please
correct me if I'm wrong):
IS_ENCODED(field, encoding_method)
DECODE(field, [encoding_method1,2,...], optional_failure_mode)
optional_failure_mode is an optional field that defaults to something like
softfail
Example use:
(1) Simply check to see if a field is already encoded, and decode if necessary.
if IS_ENCODED(field,BASE16) DECODE(field, BASE16)
(2) We know bad host x.x.x.x and y.y.y.y encodes via BASE16 or BASE64 when URI
is /dropthebomb.php, so we want to decode it.
if (ip_src_addr in [ 'x.x.x.x', 'y.y.y.y'] and uri_field == '/dropthebomb.php')
DECODE(field, [BASE16,BASE64], softfail)
In this scenario, DECODE() would attempt to decode field as BASE16, but if it
is not encoded as BASE16, it attempts BASE64, and finally if it is again not
encoded as BASE64 it soft fails by adding a field to the message indicating the
failed decode and passing it on (i.e. the field contains a character not
allowed in BASE64 encoding). An alternative would be hardfail, where it drops
the message into the error topology.
was (Author: [email protected]):
Per our discussion, I think we landed on the following two functions (please
correct me if I'm wrong):
IS_ENCODED(field, encoding_method)
DECODE(field, [encoding_method1,2,...], optional_failure_mode)
optional_failure_mode is an optional field that defaults to something like
softfail
Example use:
(1) Simply check to see if a field is already encoded, and decode if necessary.
if IS_ENCODED(field,BASE16) DECODE(field, BASE16)
(2) We know bad host x.x.x.x and y.y.y.y encodes via BASE16 or BASE64 when URI
is /dropthebomb.php, so we want to decode it.
if (ip_src_addr in [ 'x.x.x.x', 'y.y.y.y'] and uri_field == '/dropthebomb.php')
DECODE(field, [BASE16,BASE64], softfail)
In this scenario, DECODE() would attempt to decode field as BASE16, but if it
is not encoded as BASE16, it attempts BASE64, and finally soft fails by adding
a field to the message indicating the failed decode and passing it on (i.e. the
field contains a character not allowed in BASE64 encoding). An alternative
would be hardfail, where it drops the message into the error topology.
> Create Stellar Decoding Functions
> ---------------------------------
>
> Key: METRON-984
> URL: https://issues.apache.org/jira/browse/METRON-984
> Project: Metron
> Issue Type: Improvement
> Reporter: Jon Zeolla
> Assignee: Otto Fowler
>
> It is rather commonplace for malicious actors to obfuscate exploits or data
> transfers using encoding. In order to identify and prioritize responses to
> (or automatically mitigate) those attacks during threat triage we should have
> a method for decoding in Stellar. Some initial thoughts would be to handle
> percent/URL encoding, base64, base32, base16/hex, HTML encoding, etc.
> I would expect that something like DECODE(something, encoding_type,
> optional_failure_mode) would return the contents of field "something" after
> attempting to decode it via "encoding_type". If decoding fails,
> optional_failure_mode would indicate whether or not to fail the message and
> send it to the error topology, or to simply return the contents of the
> original field "something" (in this example).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
