https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022018-11-01T10:57:33ZOpen Information Security FoundationSuricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=103692018-11-01T10:57:33ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> deleted (<del><i>4.1rc2</i></del>)</li></ul> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=113192019-02-28T10:46:04ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Philippe Antoine</i></li><li><strong>Target version</strong> set to <i>5.0beta1</i></li></ul> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=113202019-02-28T10:47:09ZVictor Julienvictor@inliniac.net
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/11320/diff?detail_id=12012">diff</a>)</li></ul> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=113462019-03-05T13:31:09ZPhilippe Antoine
<ul></ul><p>Thank you Alexey for this report.</p>
<p>From what I understand, the attacker controlled in your case both the client and the server.<br />And so, he used a slightly different protocol than HTTP.<br />Yet this slight difference (removing Content-Length header and delimiting content with end of line) is enough to make parsing fail.</p>
<p>As you rightly pointed out, such an attacker could use other schemes, such as using a modified value for Content_Length (-2 when you write it, +2 when you read it)<br />Another option would be to rename the Content-Length header into Data-Length for instance.<br />We can imagine many more such schemes.<br />So, I do not see how Suricata can rightly parse all these slightly different HTTP.</p>
<p>However, things can be done :</p>
<p>- Suricata should report better that there is a parsing error <br />I proposed these pull requests :<br /><a class="external" href="https://github.com/OISF/libhtp/pull/190">https://github.com/OISF/libhtp/pull/190</a><br /><a class="external" href="https://github.com/OISF/suricata/pull/3704">https://github.com/OISF/suricata/pull/3704</a><br /><a class="external" href="https://github.com/OISF/suricata-verify/pull/22">https://github.com/OISF/suricata-verify/pull/22</a></p>
<p>- Rules writing should use <strong>http_method</strong> instead of <strong>http_client_body</strong> as <em>login=foo&password=bar</em> is indeed parsed as a method by Suricata, and by Apache in your post.pcap<br />Wireshark parses it as unknown data in a new request (ie different from the POST request)</p> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=113522019-03-05T16:41:57ZPhilippe Antoine
<ul></ul><p>There are new pull requests :<br />- <a class="external" href="https://github.com/OISF/libhtp/pull/191">https://github.com/OISF/libhtp/pull/191</a><br />- <a class="external" href="https://github.com/OISF/suricata/pull/3705">https://github.com/OISF/suricata/pull/3705</a><br />- <a class="external" href="https://github.com/OISF/suricata-verify/pull/24">https://github.com/OISF/suricata-verify/pull/24</a></p>
<p>With these, we can have a signature such as<br /><pre>
alert http any any -> any any (msg:"test"; flow:established,to_server;
content:"login=foo&password=bar"; http_client_body;
app-layer-event:http.request_body_unexpected;
sid:1; rev:1;)
</pre></p> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=118872019-04-29T07:47:39ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>5.0beta1</i> to <i>5.0rc1</i></li></ul> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=136842019-09-23T05:25:40ZVictor Julienvictor@inliniac.net
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/3187">Bug #3187</a>: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)</i> added</li></ul> Suricata - Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss https://redmine.openinfosecfoundation.org/issues/2655?journal_id=137412019-09-24T11:16:47ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/3916">https://github.com/OISF/suricata/pull/3916</a><br /><a class="external" href="https://github.com/OISF/suricata/pull/3935">https://github.com/OISF/suricata/pull/3935</a></p>