Bug #1559: Invalid HTTP status in HTTP log - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1559

closed

Invalid HTTP status in HTTP log

Added by Ray Ruvinskiy over 8 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

I'm not sure whether this is a bug or intentional, but I wanted to bring it up.

A server may return an invalid HTTP response, with something arbitrary where the status code would be expected to be. If this happens, the tx->response_status member will contain whatever string is in that position, but tx->response_status_number will be set to HTP_STATUS_INVALID. However, in the logging code, the response_status field is used, potentially outputting an invalid "status" into the log. I'm wondering if response_status_number should be used in the logging code, instead.

As an example, as of the time of writing, sending the following HTTP request:

GET /empty_flash?e=1 HTTP/1.1
Host: afs.moatads.com

to the server 52.21.219.9 will result in the following response:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

And in the suricata log, the status field will have the following contents:

version=\x221.0\x22?>

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1559

Invalid HTTP status in HTTP log

Updated by Andreas Herz over 7 years ago

Updated by Victor Julien over 5 years ago