Project

General

Profile

Actions

Bug #2224

open

Negated http_* match returns false if buffer not populated

Added by David Wharton about 7 years ago. Updated 9 months ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If a rule has a negated content match for 'http_user_agent' buffer but the http_user_agent buffer isn't populated (i.e. the HTTP traffic doesn't have a "User-Agent" header), the negated content match will return false when it should be true. Example:

HTTP traffic:

GET /nouser-agent.html HTTP/1.1
Accept: */*

Rule:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_user_agent; priority:2; sid:8675309;)

The above traffic does not have a User-Agent buffer so any negated content match in the http_user_agent buffer should return true. However, the above rule does not alert (unless the http_user_agent content match is removed).

Tested on Suricata 4.0.0, 3.2.3, 2.9.0, etc. This behavior applies to other http_* buffers too. e.g. http_host:

alert http any any -> any any (msg:"User-Agent"; flow:established,to_server; content:"user-agent"; http_uri; content:!"doesnotexist"; http_host; priority:2; sid:8675308;)

Maybe this behavior is "as designed" ... if so, can this bug report be turned in to a feature request?


Files

no_user-agent.pcap (422 Bytes) no_user-agent.pcap pcap David Wharton, 10/09/2017 10:48 AM
no_accept.pcap (619 Bytes) no_accept.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_user_agent.pcap (633 Bytes) no_user_agent.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_accept_language.pcap (626 Bytes) no_accept_language.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_accept_encoding.pcap (618 Bytes) no_accept_encoding.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_referer.pcap (617 Bytes) no_referer.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_connection.pcap (626 Bytes) no_connection.pcap Brandon Murphy, 05/03/2023 02:36 PM
no_content_type.pcap (618 Bytes) no_content_type.pcap Brandon Murphy, 05/03/2023 02:36 PM
all_headers.pcap (650 Bytes) all_headers.pcap Brandon Murphy, 05/03/2023 02:36 PM

Related issues 6 (2 open4 closed)

Related to Suricata - Bug #2479: http_cookie negation fails if no cookie in trafficClosedOISF DevActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Has duplicate Suricata - Feature #7322: ability to negate the existence of fields via buffer negationRejectedActions
Blocked by Suricata - Bug #6025: detect: allow bsize 0 for existing empty buffersClosedPhilippe AntoineActions
Blocked by Suricata - Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5NameClosedPhilippe AntoineActions
Blocks Suricata - Story #7124: rules: improve rule languageNewVictor JulienActions
Actions

Also available in: Atom PDF