Project

General

Profile

Actions

Bug #1559

closed

Invalid HTTP status in HTTP log

Added by Ray Ruvinskiy over 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm not sure whether this is a bug or intentional, but I wanted to bring it up.

A server may return an invalid HTTP response, with something arbitrary where the status code would be expected to be. If this happens, the tx->response_status member will contain whatever string is in that position, but tx->response_status_number will be set to HTP_STATUS_INVALID. However, in the logging code, the response_status field is used, potentially outputting an invalid "status" into the log. I'm wondering if response_status_number should be used in the logging code, instead.

As an example, as of the time of writing, sending the following HTTP request:

GET /empty_flash?e=1 HTTP/1.1
Host: afs.moatads.com

to the server 52.21.219.9 will result in the following response:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

And in the suricata log, the status field will have the following contents:

version=\x221.0\x22?>

Actions #1

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien about 6 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

I believe this has been fixed. If not, please reopen with a pcap.

Actions

Also available in: Atom PDF