Project

General

Profile

Actions

Bug #2510

closed

Suricata doesnt decompress HTTP Post body

Added by ajaxtpm ajaxtpm over 6 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
medium
Label:

Description

The subject is self-explained. If I send a HTTP Post request with gzipped Post body it doesnt get decompressed and cleartext inside could not be inspected by signatures.
Of course it is the IDS bypass technique.

Example signatures:
alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "TO_SERVER |1F 8B|"; flow: established, to_server; content: "|1F 8B|"; http_client_body; sid: 2; rev: 1; )

Pcap Attached

Expectation: alert sid 1
Reality: alert sid 2


Files

gzip_post.pcap (1.23 KB) gzip_post.pcap ajaxtpm ajaxtpm, 06/04/2018 04:55 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Task #3479: libhtp 0.5.33 (4.1.x)ClosedPhilippe AntoineActions
Actions #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
  • Private changed from No to Yes
  • Effort set to medium
  • Difficulty set to medium

thanks for reporting, we will look into that

Actions #2

Updated by Victor Julien over 6 years ago

Libhtp, which does the decompression on the response body side, simply doesn't implement decompression for request bodies. So addressing this issue would involve adding this support to libhtp or implementing it in Suricata itself somehow.

Actions #3

Updated by ajaxtpm ajaxtpm over 6 years ago

Victor Julien wrote:

Libhtp, which does the decompression on the response body side, simply doesn't implement decompression for request bodies. So addressing this issue would involve adding this support to libhtp or implementing it in Suricata itself somehow.

Hi Victor, should I submit this issue to libhtp github and close this one?

Actions #4

Updated by Victor Julien over 6 years ago

I think a libhtp issue would be good, but lets keep this ticket open as well. Thanks!

Actions #5

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine

Hi Philippe, can you have a look at what it would take for us to also support request body decompression?

Actions #6

Updated by Victor Julien almost 5 years ago

  • Target version changed from TBD to 6.0.0beta1
Actions #7

Updated by Philippe Antoine almost 5 years ago

  • Related to Task #3479: libhtp 0.5.33 (4.1.x) added
Actions #8

Updated by Philippe Antoine almost 5 years ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Philippe Antoine over 4 years ago

Actions #10

Updated by Victor Julien over 4 years ago

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1
Actions #11

Updated by Victor Julien about 4 years ago

Actions #13

Updated by Victor Julien almost 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF