Project

General

Profile

Actions

Bug #2619

closed

Malformed HTTP causes FN using http_header_names;

Added by Travis Green over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In Suricata 4.x, a malformed HTTP request/response can cause FN when using http_header_names;

I have included 2 pcaps, one in which the FN is observed, and another in which I generate traffic intended to reproduce the issue, but was unable. I include the second pcap in the hopes that it will aid in understanding what is causing this issue.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 1"; flow:established,to_server; content:"GET"; http_method; http_header_names; classtype:trojan-activity; sid:10003657; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 3"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:!"some_such_BS"; classtype:trojan-activity; sid:10003659; rev:2;)

=-= fast.log:
07/18/2018-17:55:53.002762 [**] [1:10003657:2] http_header_names testcase 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.140.10:49160 -> 5.8.88.25:80


Files

testcase.pcap (1.35 KB) testcase.pcap Travis Green, 09/12/2018 08:37 PM
non_repro_testcases.pcap (15.8 KB) non_repro_testcases.pcap Travis Green, 09/12/2018 08:37 PM
Actions

Also available in: Atom PDF