Intrusion detection strategies for hypertext transport protocol
First Claim
1. A computer-implemented hypertext transport protocol inspection engine for decoding an obfuscated universal resource identifier in a communication packet transmitted in a packet network, for use with an intrusion detection system, comprising:
- a hypertext transport protocol policy selection component configured to identify a Web server hypertext transport protocol intrusion detection policy associated with a packet, responsive to the packet which is uninspected, so as to determine if the packet is moving to or from a Web server;
a request universal resource identifier discovery component configured to locate a universal resource identifier in the packet based on the Web server hypertext transport protocol intrusion detection policy only if the Web server hypertext transport protocol intrusion detection policy is identified by the hypertext transport protocol policy selection component; and
a universal resource identifier normalization module configured to decode an obfuscation within the universal resource identifier after it is located by the request universal resource identifier discovery component.
3 Assignments
0 Petitions
Accused Products
Abstract
A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.
90 Citations
27 Claims
-
1. A computer-implemented hypertext transport protocol inspection engine for decoding an obfuscated universal resource identifier in a communication packet transmitted in a packet network, for use with an intrusion detection system, comprising:
-
a hypertext transport protocol policy selection component configured to identify a Web server hypertext transport protocol intrusion detection policy associated with a packet, responsive to the packet which is uninspected, so as to determine if the packet is moving to or from a Web server; a request universal resource identifier discovery component configured to locate a universal resource identifier in the packet based on the Web server hypertext transport protocol intrusion detection policy only if the Web server hypertext transport protocol intrusion detection policy is identified by the hypertext transport protocol policy selection component; and a universal resource identifier normalization module configured to decode an obfuscation within the universal resource identifier after it is located by the request universal resource identifier discovery component. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10, 11, 27)
-
-
7. (canceled)
-
12. A method for detecting a hypertext transport protocol evasion on a network using an intrusion detection system, comprising:
-
intercepting a packet transmitted on the network; parsing the packet; identifying an Internet protocol address of the packet; determining a Web server hypertext transport protocol intrusion detection policy for a network device located at the Internet protocol address, so as to determine if the packet is moving to or from a Web server; locating at least one universal resource identifier within the packet based on the Web server hypertext transport protocol intrusion detection policy only if the Web server hypertext transport protocol intrusion detection policy is determined to be associated with the network device located at the Internet protocol address; comparing at least one pattern from a rule of the intrusion detection system to the at least one universal resource identifier which was located, to determine if there is a match between the at least one pattern from the rule of the intrusion detection system to the at least one universal resource identifier; and identifying the match as the hypertext transport protocol evasion. - View Dependent Claims (13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25)
-
-
18. The method of claim 18, the reading through the hypertext transport protocol application data one time comprising using a state machine.
-
26. An intrusion detection system, comprising:
-
a packet acquisition system that intercepts a packet transmitted across a network and parses the packet; a network protocol reassembly module that parses network protocols from the packet; a transport protocol reassembly module that parses transport protocols from the packet; a hypertext transport protocol inspection engine that parses hypertext transport protocol from the packet determines a Web server hypertext transport protocol intrusion detection policy for the packet so as to determine if the packet is moving to or from a Web server, locates at least one universal resource identifier from the packet based on the Web server hypertext transport protocol intrusion detection policy only if the Web server hypertext transport protocol intrusion detection policy is determined to be associated with the packet and decodes an obfuscation within the at least one universal resource identifier based on the Web server hypertext transport protocol intrusion detection policy after the universal resource identifier is located; a detection engine that receives hypertext transport protocol inspected packet information from the hypertext transport protocol inspection engine and inspects the hypertext transport protocol inspected packet information for intrusions; and a logging system that receives and stores information about the intrusions from the detection engine.
-
Specification