Project

General

Profile

Actions

Bug #1957

closed

PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding

Added by David Wharton about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The http_host buffer is normalized to be all lower case. However, the validation for PCREs applied to this buffer does not allow for (valid) upper case letters to be used in escaped hex-encoding (\xhh). Example rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W"; priority: 5; sid:1231;)

Generates this alert:

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase char. Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre.

Changing the PCRE to have '\x2e' instead of '\x2E' works:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2esuricata$/W"; priority: 5; sid:1231;)

Actions

Also available in: Atom PDF