Project

General

Profile

Actions

Bug #1957

closed

PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding

Added by David Wharton about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The http_host buffer is normalized to be all lower case. However, the validation for PCREs applied to this buffer does not allow for (valid) upper case letters to be used in escaped hex-encoding (\xhh). Example rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W"; priority: 5; sid:1231;)

Generates this alert:

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase char. Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre.

Changing the PCRE to have '\x2e' instead of '\x2E' works:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2esuricata$/W"; priority: 5; sid:1231;)

Actions #1

Updated by Victor Julien about 8 years ago

  • Assignee set to OISF Dev
  • Target version set to 70
Actions #2

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Priority changed from Low to Normal
  • Target version changed from 70 to 4.0rc2
Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF