Feature #2689: http: Normalized HTTP client body buffer - Suricata - Open Information Security Foundation

Actions

Feature #2689

closed

http: Normalized HTTP client body buffer

Added by David Wharton over 5 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Effort:

medium

Difficulty:

low

Label:

Description

Currently the 'http_uri' buffer is normalized. This is a request to extend the same normalization (URI decode) to the 'http_client_body' buffer.

This would probably require a new keyword (e.g. 'http_client_body_norm'). Or you could do something like 'http_client_body,norm', with the default being 'http_client_body,raw' (meaning, 'http_client_body' would be the same as 'http_client_body,raw'). This would ensure this functionality would not break current rules. However, the proposed keyword nomenclature may not be congruent with current standards or desired direction so this request is not intended to dictate specific implementation, just functionality.

The decoding of the HTTP client body would be done when the content type is recognized as URL encoded. The easy way to do this is to just look for the 'x-www-form-urlencoded' Content-Type header. Heuristic detection is possible but likely not worth the effort or performance impact (although just relying on the client header provides opportunity for bypass).

Related issues 1 (1 open — 0 closed)

Actions

#1

Updated by David Wharton over 5 years ago

This could possibly be implemented as a transform but seems more natural to treat similar to the http_uri normalized buffer. For performance reasons, a hard decode limit could be enforced (e.g. 4000 bytes).

Actions

#2

Updated by Victor Julien over 5 years ago

Related to Task #2685: SuriCon 2018 brainstorm added

Actions

#3

Updated by Andreas Herz almost 5 years ago

Assignee set to Community Ticket
Target version set to TBD

Actions

#4

Updated by Andreas Herz over 4 years ago

Assignee changed from Community Ticket to Philippe Antoine

Actions

#5

Updated by Philippe Antoine about 4 years ago

Status changed from New to In Review

https://github.com/OISF/suricata/pull/4398

Actions

#6

Updated by Philippe Antoine over 3 years ago

A part got merged in https://github.com/OISF/suricata/pull/5237
But we still need to get transforms to work with HTTP
So that this suricata-verify test will pass :
https://github.com/OISF/suricata-verify/pull/278

Actions

#7

Updated by Philippe Antoine over 3 years ago

Status changed from In Review to Assigned
Assignee changed from Philippe Antoine to Jeff Lucovsky

Actions

#8

Updated by Philippe Antoine over 3 years ago

A proposed fix is this commit
https://github.com/OISF/suricata/pull/4398/commits/525793050c6368c7c7a7a2a3a71e72cdbd35284a

Actions

#9

Updated by Philippe Antoine over 3 years ago

Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/5554

Actions

#10

Updated by Philippe Antoine over 3 years ago

Target version changed from TBD to 6.0.1

Merged in https://github.com/OISF/suricata/pull/5573

Actions

#11

Updated by Philippe Antoine over 3 years ago

Still S-V test to merge with https://github.com/OISF/suricata-verify/pull/362

Actions

#12

Updated by Philippe Antoine over 3 years ago

Status changed from In Review to Closed

Actions

#13

Updated by Victor Julien over 3 years ago

Subject changed from Normalized HTTP client body buffer to http: Normalized HTTP client body buffer

Actions

Also available in: Atom PDF