search

stratosphereips / StratosphereLinuxIPS

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.
Other
701 stars 176 forks source link

detect empty ssl connections by checking many empty ssl conn captures #249

Open AlyaGomaa opened 1 year ago

AlyaGomaa commented 1 year ago

Created by Sebastian Garcia via monday.com integration. 🎉

AlyaGomaa commented 4 months ago

try with many empty ssl conn captures and see the minimum number fo bytes that we get from doing empty ssl conns ok when detecting empty HTTP connections

we check if the request_body_len is 0 ( Contents of the Content-Length: header from the client)

in https, the headers are encrypted and there's no way (that i know of) to get the request_body_len to check for empty requests😅

i tried adding check for ssl orig_bytes==0 but when doing wget https://google.com/ or curl https://google.com/ , in the resulting conn.log flow, orig bytes is never 0, i assume because of the TLS communications after the TCP handshake and before the actual connection starts!