Bug #2619
closedMalformed HTTP causes FN using http_header_names;
Description
In Suricata 4.x, a malformed HTTP request/response can cause FN when using http_header_names;
I have included 2 pcaps, one in which the FN is observed, and another in which I generate traffic intended to reproduce the issue, but was unable. I include the second pcap in the hopes that it will aid in understanding what is causing this issue.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 1"; flow:established,to_server; content:"GET"; http_method; http_header_names; classtype:trojan-activity; sid:10003657; rev:2;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 3"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:!"some_such_BS"; classtype:trojan-activity; sid:10003659; rev:2;)
=-= fast.log:
07/18/2018-17:55:53.002762 [**] [1:10003657:2] http_header_names testcase 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.140.10:49160 -> 5.8.88.25:80
Files
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version set to 5.0beta1
Updated by Philippe Antoine over 5 years ago
Thanks Travis for this report.
These false negatives are due to the missing protocol field in the request line.
LibHTP interprets this as HTTP 0.9 which has no headers.
Python http.server interprets correctly the headers if we forget this protocol field.
I will do a fix checking if line looks like a header one
Updated by Victor Julien over 5 years ago
- Target version changed from 5.0beta1 to 5.0rc1
Updated by Philippe Antoine about 5 years ago
- Status changed from Assigned to Closed