Project

General

Profile

Actions

Bug #2224

open

Negated http_* match returns false if buffer not populated

Added by David Wharton almost 4 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If a rule has a negated content match for 'http_user_agent' buffer but the http_user_agent buffer isn't populated (i.e. the HTTP traffic doesn't have a "User-Agent" header), the negated content match will return false when it should be true. Example:

HTTP traffic:

GET /nouser-agent.html HTTP/1.1
Accept: */*

Rule:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_user_agent; priority:2; sid:8675309;)

The above traffic does not have a User-Agent buffer so any negated content match in the http_user_agent buffer should return true. However, the above rule does not alert (unless the http_user_agent content match is removed).

Tested on Suricata 4.0.0, 3.2.3, 2.9.0, etc. This behavior applies to other http_* buffers too. e.g. http_host:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_host; priority:2; sid:8675308;)

Maybe this behavior is "as designed" ... if so, can this bug report be turned in to a feature request?


Files

no_user-agent.pcap (422 Bytes) no_user-agent.pcap pcap David Wharton, 10/09/2017 10:48 AM

Related issues

Related to Bug #2479: http_cookie negation fails if no cookie in trafficNewOISF Dev04/05/2018Actions
Related to Task #4097: Suricon 2020 brainstormNewVictor JulienActions
Actions #1

Updated by Andreas Herz almost 4 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Philippe Antoine over 2 years ago

  • Related to Bug #2479: http_cookie negation fails if no cookie in traffic added
Actions #3

Updated by Andreas Herz about 2 years ago

Philippe are you looking into those two related issues so I can assign them to you :)?

Actions #4

Updated by Victor Julien about 2 years ago

This is not really a bug. It's more a design decisions about to how to deal with negation on buffers we don't see. Right now won't match as the rule is only evaluated if the buffer is present.

Actions #5

Updated by Philippe Antoine about 2 years ago

So, the feature request would be to have a new negate keyword that includes absence ?

Actions #6

Updated by Jason Ish 11 months ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #7

Updated by Brandon Murphy 5 months ago

Just as an FYI - this issue/design/whatever continues to cause False Negatives on a pretty regular basis. If there is some sort of unofficial "vote" for tickets which need attention, consider this my vote.

Actions

Also available in: Atom PDF