Project

General

Profile

Actions

Bug #2402

closed

http_header_names doesn't operate as documented

Added by Duane Howard over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Not sure if the bug is in implementation, or in the documentation. In the second example of the documentation0 we learn that to validate that a Header is at the beginning of the http_header_names buffer we can use "|0D 0A 0D 0A|HeaderName". It appears, however that the |0D 0A 0D 0A| is only applicable at the end of the buffer.

I've tested on Suricata 4.0.3 RELEASE, output can be found below1 and files used in testing are attached for your easy reproduction.

[0] http://suricata.readthedocs.io/en/latest/rules/http-keywords.html?highlight=http_header_names#http-header-names
[1]

duaneh@zombie-lab6:~$ /usr/bin/suricata -c suricata-pcap.yaml --runmode=single  -S http_header_names.rules -r suricata_test.pcap
Initialization syslog logging with format "[%i] <%d> -- ".
4/1/2018 -- 21:15:33 - <Notice> - This is Suricata version 4.0.3 RELEASE
4/1/2018 -- 21:15:33 - <Info> - CPUs/cores online: 16
4/1/2018 -- 21:15:33 - <Info> - HTTP memcap: 6442450944
4/1/2018 -- 21:15:36 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed
4/1/2018 -- 21:15:36 - <Info> - Threshold config parsed: 1 rule(s) found
4/1/2018 -- 21:15:36 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only
4/1/2018 -- 21:15:36 - <Info> - fast output device (regular) initialized: /tmp/fast.log
4/1/2018 -- 21:15:36 - <Info> - Unified2-alert initialized: filename suricata.u2, limit 128 MB
4/1/2018 -- 21:15:36 - <Info> - stats output device (regular) initialized: stats.log
4/1/2018 -- 21:15:36 - <Info> - Syslog output initialized
4/1/2018 -- 21:15:36 - <Info> - reading pcap file suricata_test.pcap
4/1/2018 -- 21:15:36 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
4/1/2018 -- 21:15:36 - <Info> - pcap file end of file reached (pcap err code 0)
4/1/2018 -- 21:15:36 - <Notice> - Signal Received.  Stopping engine.
4/1/2018 -- 21:15:37 - <Info> - time elapsed 1.421s
4/1/2018 -- 21:15:38 - <Notice> - Pcap-file module read 10 packets, 1100 bytes
4/1/2018 -- 21:15:38 - <Info> - Alerts: 1
4/1/2018 -- 21:15:38 - <Info> - cleaning up signature grouping structure... complete

duaneh@zombie-lab6:~$ cat /tmp/fast.log 
01/04/2018-21:07:49.173020  [**] [1:8000002:1] Header Test 2 - Like Depth [**] [Classification: (null)] [Priority: 3] {TCP} 100.97.28.117:45280 -> 35.192.125.79:443


Files

http_header_names.rules (471 Bytes) http_header_names.rules test rules Duane Howard, 01/04/2018 03:25 PM
suricata_test.pcap (1.25 KB) suricata_test.pcap test pcap Duane Howard, 01/04/2018 03:25 PM
Actions #1

Updated by Victor Julien over 3 years ago

This is a documentation error. The format is

\r\nName1\r\nName2\r\n\r\n

You can use depth (soon also starts_with) to anchor to the start of the buffer.

Actions #2

Updated by Andreas Herz over 3 years ago

  • Assignee set to OISF Dev
  • Target version set to Documentation
Actions #3

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from Documentation to 4.1beta1
Actions #4

Updated by Victor Julien over 3 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF