Project

General

Profile

Actions
Copy link

Bug #2402

closed

http_header_names doesn't operate as documented

Added by Duane Howard over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Not sure if the bug is in implementation, or in the documentation. In the second example of the documentation0 we learn that to validate that a Header is at the beginning of the http_header_names buffer we can use "|0D 0A 0D 0A|HeaderName". It appears, however that the |0D 0A 0D 0A| is only applicable at the end of the buffer.

I've tested on Suricata 4.0.3 RELEASE, output can be found below1 and files used in testing are attached for your easy reproduction.

[0] http://suricata.readthedocs.io/en/latest/rules/http-keywords.html?highlight=http_header_names#http-header-names
[1]

duaneh@zombie-lab6:~$ /usr/bin/suricata -c suricata-pcap.yaml --runmode=single  -S http_header_names.rules -r suricata_test.pcap
Initialization syslog logging with format "[%i] <%d> -- ".
4/1/2018 -- 21:15:33 - <Notice> - This is Suricata version 4.0.3 RELEASE
4/1/2018 -- 21:15:33 - <Info> - CPUs/cores online: 16
4/1/2018 -- 21:15:33 - <Info> - HTTP memcap: 6442450944
4/1/2018 -- 21:15:36 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed
4/1/2018 -- 21:15:36 - <Info> - Threshold config parsed: 1 rule(s) found
4/1/2018 -- 21:15:36 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only
4/1/2018 -- 21:15:36 - <Info> - fast output device (regular) initialized: /tmp/fast.log
4/1/2018 -- 21:15:36 - <Info> - Unified2-alert initialized: filename suricata.u2, limit 128 MB
4/1/2018 -- 21:15:36 - <Info> - stats output device (regular) initialized: stats.log
4/1/2018 -- 21:15:36 - <Info> - Syslog output initialized
4/1/2018 -- 21:15:36 - <Info> - reading pcap file suricata_test.pcap
4/1/2018 -- 21:15:36 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
4/1/2018 -- 21:15:36 - <Info> - pcap file end of file reached (pcap err code 0)
4/1/2018 -- 21:15:36 - <Notice> - Signal Received.  Stopping engine.
4/1/2018 -- 21:15:37 - <Info> - time elapsed 1.421s
4/1/2018 -- 21:15:38 - <Notice> - Pcap-file module read 10 packets, 1100 bytes
4/1/2018 -- 21:15:38 - <Info> - Alerts: 1
4/1/2018 -- 21:15:38 - <Info> - cleaning up signature grouping structure... complete

duaneh@zombie-lab6:~$ cat /tmp/fast.log 
01/04/2018-21:07:49.173020  [**] [1:8000002:1] Header Test 2 - Like Depth [**] [Classification: (null)] [Priority: 3] {TCP} 100.97.28.117:45280 -> 35.192.125.79:443

Files

Download all files
http_header_names.rules (471 Bytes) http_header_names.rules test rules Duane Howard, 01/04/2018 03:25 PM
suricata_test.pcap (1.25 KB) suricata_test.pcap test pcap Duane Howard, 01/04/2018 03:25 PM
Actions
Copy link
 #1

Updated by Victor Julien over 6 years ago

This is a documentation error. The format is

\r\nName1\r\nName2\r\n\r\n

You can use depth (soon also starts_with) to anchor to the start of the buffer.

Actions
Copy link
 #2

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to Documentation
Actions
Copy link
 #3

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from Documentation to 4.1beta1
Actions
Copy link
 #4

Updated by Victor Julien about 6 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF