Project

General

Profile

Actions

Bug #2619

closed

Malformed HTTP causes FN using http_header_names;

Added by Travis Green about 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In Suricata 4.x, a malformed HTTP request/response can cause FN when using http_header_names;

I have included 2 pcaps, one in which the FN is observed, and another in which I generate traffic intended to reproduce the issue, but was unable. I include the second pcap in the hopes that it will aid in understanding what is causing this issue.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 1"; flow:established,to_server; content:"GET"; http_method; http_header_names; classtype:trojan-activity; sid:10003657; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 3"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:!"some_such_BS"; classtype:trojan-activity; sid:10003659; rev:2;)

=-= fast.log:
07/18/2018-17:55:53.002762 [**] [1:10003657:2] http_header_names testcase 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.140.10:49160 -> 5.8.88.25:80


Files

testcase.pcap (1.35 KB) testcase.pcap Travis Green, 09/12/2018 08:37 PM
non_repro_testcases.pcap (15.8 KB) non_repro_testcases.pcap Travis Green, 09/12/2018 08:37 PM
Actions #1

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to 5.0beta1
Actions #2

Updated by Philippe Antoine over 5 years ago

Thanks Travis for this report.
These false negatives are due to the missing protocol field in the request line.
LibHTP interprets this as HTTP 0.9 which has no headers.

Python http.server interprets correctly the headers if we forget this protocol field.
I will do a fix checking if line looks like a header one

Actions #3

Updated by Victor Julien over 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions

Also available in: Atom PDF