https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022015-04-07T11:27:01ZOpen Information Security FoundationSuricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=50492015-04-07T11:27:01ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think suri/libhtp may be correct here, as the HTTP rfc's don't allow spaces in the URI. Can you confirm the server parses the uri correctly?</p> Suricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=50512015-04-07T20:48:51ZLucky b56ab@rootshell.in
<ul></ul><p>Yes. It's a malware trying to communicate with their custom HTTP server I believe.</p> Suricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=50522015-04-07T23:39:42ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>Lucky b56 wrote:</p>
<blockquote>
<p>Yes. It's a malware trying to communicate with their custom HTTP server I believe.</p>
</blockquote>
<p>It's more like custom server, rather than custom HTTP server. It's just that the protocol is very similar to HTTP.</p> Suricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=50532015-04-08T05:53:52ZVictor Julienvictor@inliniac.net
<ul></ul><p>Are you able to share a pcap either in the ticket or privately?</p> Suricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=50542015-04-08T06:04:14ZLucky b56ab@rootshell.in
<ul></ul><p>Unfortunately I don't have a pcap. You can close this issue now.</p> Suricata - Bug #1442: HTTP URL parserhttps://redmine.openinfosecfoundation.org/issues/1442?journal_id=51242015-04-28T03:28:05ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul>