Skip to content

Task 5.4.3: Protocol-Aware Filtering

Status: Complete Date: 2026-02-09

Summary

Implemented protocol-aware network filtering that detects the protocol in use and enforces protocol-level policies. Only allowed protocols with well-formed traffic are permitted through the security layer.

Components

Protocol Detection

Hybrid detection using payload inspection (primary) and port-based mapping (fallback):

Protocol Payload Detection Port Mapping
HTTP Request/response line regex 80, 8080
HTTPS Request line + port hint 443, 8443
DNS Binary payload + port 53
SSH SSH-x.x- banner 22
FTP 220 greeting 21
SMTP 220/EHLO/HELO greeting 25, 587, 465

HTTP Validation (HTTPValidator)

  • Method enforcement: Only allowed HTTP methods pass (TRACE/CONNECT blocked by default)
  • Required headers: Host header required by default
  • Forbidden headers: X-Forwarded-For, X-Real-IP, X-Originating-IP blocked
  • URL length limits: Configurable max (default 2048 chars)
  • Header size limits: Configurable max (default 8192 bytes)
  • Suspicious pattern detection: Path traversal, encoded traversal, proxy abuse
  • Request smuggling detection: CL+TE conflict, duplicate CL, duplicate TE
  • WebSocket upgrade detection: Identifies upgrade requests

Protocol Policy (ProtocolPolicy)

Configurable policy with sensible defaults:

  • allowed_protocols: HTTP, HTTPS, DNS by default
  • allowed_http_methods: GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS
  • require_host_header: True
  • block_forbidden_headers: True
  • detect_smuggling: True
  • max_header_size: 8192 bytes
  • max_url_length: 2048 chars

Statistics Tracking

Tracks: total filtered, allowed, blocked, HTTP requests, protocol violations, smuggling attempts.

Files

File Description
src/harombe/security/protocol_filter.py Protocol filter implementation
tests/security/test_protocol_filter.py 61 tests (all passing)

Test Coverage

  • 61 tests across 9 test classes
  • Protocol enum values (7)
  • Protocol policy configuration (5)
  • Protocol detection (12)
  • HTTP validation (14)
  • Filter allow/block decisions (10)
  • Statistics tracking (3)
  • Policy updates (2)
  • Performance benchmarks (2)
  • Edge cases (6)

Performance

  • Filter: <1ms per packet (benchmark verified)
  • Detection: <500µs per packet (benchmark verified)

Architecture

NetworkPacket
ProtocolFilter.filter()
    ├─► detect_protocol()    ── payload regex + port mapping
    ├─► Check allowed_protocols list
    └─► HTTP/HTTPS path:
        ├─► _check_smuggling()   ── CL/TE conflict detection
        └─► HTTPValidator.validate()
            ├── Method check
            ├── URL length check
            ├── Required headers
            ├── Forbidden headers
            ├── Header size limit
            └── Suspicious pattern scan

Integration Points

  • Uses NetworkPacket from harombe.security.dpi (shared type)
  • Exported via harombe.security.__init__.py
  • Can be composed with DeepPacketInspector for layered inspection
  • Can be composed with EgressFilter for domain + protocol filtering