Project

General

Profile

Actions

Feature #2689

closed

http: Normalized HTTP client body buffer

Added by David Wharton about 6 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
medium
Difficulty:
low
Label:

Description

Currently the 'http_uri' buffer is normalized. This is a request to extend the same normalization (URI decode) to the 'http_client_body' buffer.

This would probably require a new keyword (e.g. 'http_client_body_norm'). Or you could do something like 'http_client_body,norm', with the default being 'http_client_body,raw' (meaning, 'http_client_body' would be the same as 'http_client_body,raw'). This would ensure this functionality would not break current rules. However, the proposed keyword nomenclature may not be congruent with current standards or desired direction so this request is not intended to dictate specific implementation, just functionality.

The decoding of the HTTP client body would be done when the content type is recognized as URL encoded. The easy way to do this is to just look for the 'x-www-form-urlencoded' Content-Type header. Heuristic detection is possible but likely not worth the effort or performance impact (although just relying on the client header provides opportunity for bypass).


Related issues 1 (1 open0 closed)

Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Actions #1

Updated by David Wharton about 6 years ago

This could possibly be implemented as a transform but seems more natural to treat similar to the http_uri normalized buffer. For performance reasons, a hard decode limit could be enforced (e.g. 4000 bytes).

Actions #2

Updated by Victor Julien almost 6 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions #3

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions #4

Updated by Andreas Herz about 5 years ago

  • Assignee changed from Community Ticket to Philippe Antoine
Actions #5

Updated by Philippe Antoine over 4 years ago

  • Status changed from New to In Review
Actions #6

Updated by Philippe Antoine about 4 years ago

A part got merged in https://github.com/OISF/suricata/pull/5237
But we still need to get transforms to work with HTTP
So that this suricata-verify test will pass :
https://github.com/OISF/suricata-verify/pull/278

Actions #7

Updated by Philippe Antoine about 4 years ago

  • Status changed from In Review to Assigned
  • Assignee changed from Philippe Antoine to Jeff Lucovsky
Actions #9

Updated by Philippe Antoine about 4 years ago

  • Status changed from Assigned to In Review
Actions #10

Updated by Philippe Antoine almost 4 years ago

  • Target version changed from TBD to 6.0.1
Actions #12

Updated by Philippe Antoine almost 4 years ago

  • Status changed from In Review to Closed
Actions #13

Updated by Victor Julien almost 4 years ago

  • Subject changed from Normalized HTTP client body buffer to http: Normalized HTTP client body buffer
Actions

Also available in: Atom PDF