Project

General

Profile

Bug #2224

Negated http_* match returns false if buffer not populated

Added by David Wharton about 2 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If a rule has a negated content match for 'http_user_agent' buffer but the http_user_agent buffer isn't populated (i.e. the HTTP traffic doesn't have a "User-Agent" header), the negated content match will return false when it should be true. Example:

HTTP traffic:

GET /nouser-agent.html HTTP/1.1
Accept: */*

Rule:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_user_agent; priority:2; sid:8675309;)

The above traffic does not have a User-Agent buffer so any negated content match in the http_user_agent buffer should return true. However, the above rule does not alert (unless the http_user_agent content match is removed).

Tested on Suricata 4.0.0, 3.2.3, 2.9.0, etc. This behavior applies to other http_* buffers too. e.g. http_host:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_host; priority:2; sid:8675308;)

Maybe this behavior is "as designed" ... if so, can this bug report be turned in to a feature request?


Files

no_user-agent.pcap (422 Bytes) no_user-agent.pcap pcap David Wharton, 10/09/2017 10:48 AM

Related issues

Related to Bug #2479: http_cookie negation fails if no cookie in trafficNew04/05/2018Actions

History

#1

Updated by Andreas Herz about 2 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
#2

Updated by Philippe Antoine 4 months ago

  • Related to Bug #2479: http_cookie negation fails if no cookie in traffic added
#3

Updated by Andreas Herz 3 months ago

Philippe are you looking into those two related issues so I can assign them to you :)?

#4

Updated by Victor Julien 3 months ago

This is not really a bug. It's more a design decisions about to how to deal with negation on buffers we don't see. Right now won't match as the rule is only evaluated if the buffer is present.

#5

Updated by Philippe Antoine 3 months ago

So, the feature request would be to have a new negate keyword that includes absence ?

Also available in: Atom PDF