[
https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21409#comment-21409
]
Justin Azoff commented on BIT-1431:
-----------------------------------
Here's another simple use-case (that I remember from an IRC discussion).
Someone runs a http service and is trying to identify certain clients. A bad
actor is spoofing a valid user agent, but a capture shows they are sending
"user-Agent:" vs. "User-Agent:" in the http header. Since bro normalizes the
header, it is not possible to identify this client.
> Loss of information due to analyzer capitalization changes
> ----------------------------------------------------------
>
> Key: BIT-1431
> URL: https://bro-tracker.atlassian.net/browse/BIT-1431
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.5
> Reporter: Seth Hall
>
> Currently some of Bro's analyzers are changing the case of data before
> passing it along to events which is fairly dramatic loss of information in
> some cases.
> The two known examples right now are the query in DNS (lowercased) and the
> header field name in HTTP (uppercased). The question is if we should brute
> force change these to stop modifying the original values and have people fix
> any scripts that it breaks (watching for header value names is the biggie
> here) or if we should use some alternate mechanism to allow the existing
> behavior to have a sundown time period.
> I say we should just break it since the quantity of existing scripts in the
> world is still fairly small and the number of scripts that it affects is even
> less (many scripts won't be affected at all).
--
This message was sent by Atlassian JIRA
(v6.5-OD-08-001#65007)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
