Project

General

Profile

Actions
Copy link

Bug #2260

closed

Weird status codes when dealing with incomplete http streams in 4.0

Added by Bendik Hagen over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Bendik Hagen
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When suricata 4.0 parses http streams with missing http response headers it returns invalid http statuscodes, etc status":456723.
Seems to be a bug in LIBHTP that causes this.

htp_connp_RES_LINE: ptr 0x7f3ed70a9082 offset 0 len 35
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c 20 34 35 36 37 32  |F3_31.zip, 45672|
00000020  33 0d 0a                                          |3..|

Response protocol: ptr 0x7f3ed70a9b78 offset 0 len 26
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c                    |F3_31.zip,|

Response protocol number: -2

Response status (as text): ptr 0x7f3ed70a9bb8 offset 0 len 6
00000000  34 35 36 37 32 33                                 |456723|

Response status number: 456723

Files

Download all files
status_code.pcap (2.48 KB) status_code.pcap Anonymous, 11/02/2017 10:26 AM
status_code_hotfix.patch (831 Bytes) status_code_hotfix.patch Anonymous, 11/02/2017 10:31 AM
Actions
Copy link

Also available in: Atom PDF