Bug #2510
closedSuricata doesnt decompress HTTP Post body
Description
The subject is self-explained. If I send a HTTP Post request with gzipped Post body it doesnt get decompressed and cleartext inside could not be inspected by signatures.
Of course it is the IDS bypass technique.
Example signatures:
alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "TO_SERVER |1F 8B|"; flow: established, to_server; content: "|1F 8B|"; http_client_body; sid: 2; rev: 1; )
Pcap Attached
Expectation: alert sid 1
Reality: alert sid 2
Files
Updated by Andreas Herz almost 6 years ago
- Assignee set to OISF Dev
- Target version set to TBD
- Private changed from No to Yes
- Effort set to medium
- Difficulty set to medium
thanks for reporting, we will look into that
Updated by Victor Julien almost 6 years ago
Libhtp, which does the decompression on the response body side, simply doesn't implement decompression for request bodies. So addressing this issue would involve adding this support to libhtp or implementing it in Suricata itself somehow.
Updated by ajaxtpm ajaxtpm almost 6 years ago
Victor Julien wrote:
Libhtp, which does the decompression on the response body side, simply doesn't implement decompression for request bodies. So addressing this issue would involve adding this support to libhtp or implementing it in Suricata itself somehow.
Hi Victor, should I submit this issue to libhtp github and close this one?
Updated by Victor Julien almost 6 years ago
I think a libhtp issue would be good, but lets keep this ticket open as well. Thanks!
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
Hi Philippe, can you have a look at what it would take for us to also support request body decompression?
Updated by Victor Julien about 4 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Philippe Antoine about 4 years ago
- Related to Task #3479: libhtp 0.5.33 (4.1.x) added
Updated by Philippe Antoine about 4 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine almost 4 years ago
- Related to Task #3824: libhtp 0.5.34 added
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Victor Julien over 3 years ago
- Related to deleted (Task #3824: libhtp 0.5.34)
Updated by Philippe Antoine about 3 years ago
- Status changed from In Review to Closed