[jira] [Commented] (METRON-984) Create Stellar Decoding Functions

Mon, 05 Jun 2017 13:50:33 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037563#comment-16037563
 ] 

Jon Zeolla commented on METRON-984:
-----------------------------------

My assumption is that you can test to see if it's possible to decode something 
via BASE16 because it would be impossible for the field to contain anything 
other than 0-9, A-F (similar but different for other encoding schemes.  For 
instance, HTML encoding can't include <).  It is somewhat redundant with 
IS_ENCODED, but I think it's worth building this way, because IS_ENCODED could 
be used a different way such as - if IS_ENCODED() (DECODE() and XYZ()).

I'm fine with removing the chained attempts from the initial implementation 
(the [BASE16, BASE64, ...]), but I still think that we shouldn't attempt to 
DECODE(x, BASE16) something if x is obviously not encoded with BASE16, 
regardless of if the user checked IS_ENCODED.

> Create Stellar Decoding Functions
> ---------------------------------
>
>                 Key: METRON-984
>                 URL: https://issues.apache.org/jira/browse/METRON-984
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Jon Zeolla
>            Assignee: Otto Fowler
>
> It is rather commonplace for malicious actors to obfuscate exploits or data 
> transfers using encoding.  In order to identify and prioritize responses to 
> (or automatically mitigate) those attacks during threat triage we should have 
> a method for decoding in Stellar.  Some initial thoughts would be to handle 
> percent/URL encoding, base64, base32, base16/hex, HTML encoding, etc.
> I would expect that something like DECODE(something, encoding_type, 
> optional_failure_mode) would return the contents of field "something" after 
> attempting to decode it via "encoding_type".  If decoding fails, 
> optional_failure_mode would indicate whether or not to fail the message and 
> send it to the error topology, or to simply return the contents of the 
> original field "something" (in this example).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to