Bug #1957
closedPCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
Description
The http_host buffer is normalized to be all lower case. However, the validation for PCREs applied to this buffer does not allow for (valid) upper case letters to be used in escaped hex-encoding (\xhh). Example rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W"; priority: 5; sid:1231;)
Generates this alert:
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase char. Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre.
Changing the PCRE to have '\x2e' instead of '\x2E' works:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2esuricata$/W"; priority: 5; sid:1231;)
Updated by Victor Julien over 7 years ago
- Assignee set to OISF Dev
- Target version set to 70
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Priority changed from Low to Normal
- Target version changed from 70 to 4.0rc2
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed