Actions
Bug #1490
closedhttp_host payload validation erroring on uppercase PCRE metacharacters
Affected Versions:
Effort:
Difficulty:
Label:
Description
Referring to behavior mentioned in commit:0d7305df, I notice what I think might be incorrect behavior when applying match to http_host
buffer from pcre containing uppercase metacharacters rather that uppercase literals. Test rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST Host Header Pattern"; pcre:"/\d+\D+\d+\D+\d+\D+\d+\D+/W"; sid:1000000; rev:1;)
As shown, this pattern doesn't contain uppercase character literals, only uppercase metacharacters.
Testing with Suricata 2.0.8, this is what occurs:
$ sudo suricata -T -c /etc/suricata/suricata.yaml -S test.rules 18/6/2015 -- 16:21:01 - <Info> - Running suricata under test mode 18/6/2015 -- 16:21:01 - <Notice> - This is Suricata version 2.0.8 RELEASE 18/6/2015 -- 16:21:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase char. Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre. 18/6/2015 -- 16:21:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST Host Header Pattern"; pcre:"/\d+\D+\d+\D+\d+\D+\d+\D+/W"; sid:1000000; rev:1;)"
If the pcre is updated to use the /Z
modifier instead, it doesn't check for uppercase characters and doesn't error on the regular expression.
Thinking the validation should be updated to only error if uppercase literals are detected, but not metacharacters.
Actions