Feature #2689
closedhttp: Normalized HTTP client body buffer
Description
Currently the 'http_uri' buffer is normalized. This is a request to extend the same normalization (URI decode) to the 'http_client_body' buffer.
This would probably require a new keyword (e.g. 'http_client_body_norm'). Or you could do something like 'http_client_body,norm', with the default being 'http_client_body,raw' (meaning, 'http_client_body' would be the same as 'http_client_body,raw'). This would ensure this functionality would not break current rules. However, the proposed keyword nomenclature may not be congruent with current standards or desired direction so this request is not intended to dictate specific implementation, just functionality.
The decoding of the HTTP client body would be done when the content type is recognized as URL encoded. The easy way to do this is to just look for the 'x-www-form-urlencoded' Content-Type header. Heuristic detection is possible but likely not worth the effort or performance impact (although just relying on the client header provides opportunity for bypass).
Updated by David Wharton about 6 years ago
This could possibly be implemented as a transform but seems more natural to treat similar to the http_uri normalized buffer. For performance reasons, a hard decode limit could be enforced (e.g. 4000 bytes).
Updated by Victor Julien about 6 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
Updated by Andreas Herz about 5 years ago
- Assignee changed from Community Ticket to Philippe Antoine
Updated by Philippe Antoine almost 5 years ago
- Status changed from New to In Review
Updated by Philippe Antoine over 4 years ago
A part got merged in https://github.com/OISF/suricata/pull/5237
But we still need to get transforms to work with HTTP
So that this suricata-verify test will pass :
https://github.com/OISF/suricata-verify/pull/278
Updated by Philippe Antoine over 4 years ago
- Status changed from In Review to Assigned
- Assignee changed from Philippe Antoine to Jeff Lucovsky
Updated by Philippe Antoine over 4 years ago
A proposed fix is this commit
https://github.com/OISF/suricata/pull/4398/commits/525793050c6368c7c7a7a2a3a71e72cdbd35284a
Updated by Philippe Antoine about 4 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine about 4 years ago
- Target version changed from TBD to 6.0.1
Updated by Philippe Antoine about 4 years ago
Still S-V test to merge with https://github.com/OISF/suricata-verify/pull/362
Updated by Philippe Antoine about 4 years ago
- Status changed from In Review to Closed
Updated by Victor Julien about 4 years ago
- Subject changed from Normalized HTTP client body buffer to http: Normalized HTTP client body buffer