Bug #2881
openhttp.protocol parsing inaccuracy
Description
Request:
GET /uid=0(root) gid=0(root) groups=0(root)asdf HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*
eve.json output:"http":{"protocol":"gid=0(root) groups=0(root)asdf HTTP\/1.1"}
It appears that the http.protocol is matching too greedily with the space character and could use something like /\S+$/m instead.
Updated by chris lujan about 4 years ago
Conversely, the http.url field is only matching up until the first space resulting in something like:
"http":{"url":"/uid=0(root)"}
which leads me to believe those fields are created by splitting the line by spaces.
Updated by Victor Julien about 4 years ago
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version set to TBD
Updated by Victor Julien about 4 years ago
I think uri's are not supposed to have spaces, but I think it would be good to address this anyway.
Updated by Philippe Antoine almost 4 years ago
Thanks Chris.
Indeed, Uris are not supposed to have spaces, but the protocol field is even less supposed to have spaces.
So I think we can take the last space in the request line as the uri end, instead of the second one.
Updated by Philippe Antoine about 3 years ago
- Related to Task #3479: libhtp 0.5.33 (4.1.x) added
Updated by Philippe Antoine about 3 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine almost 3 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Philippe Antoine over 2 years ago
- Blocks Task #3824: libhtp 0.5.34 added
Updated by Victor Julien over 2 years ago
- Target version changed from 6.0.0beta1 to 6.0.0rc1
Updated by Victor Julien over 2 years ago
- Target version changed from 6.0.0rc1 to 7.0.0-beta1
Updated by Victor Julien over 2 years ago
- Blocks deleted (Task #3824: libhtp 0.5.34)
Updated by Philippe Antoine over 2 years ago
- Related to Task #3922: libhtp 0.5.35 added
Updated by Philippe Antoine over 2 years ago
- Target version changed from 7.0.0-beta1 to 6.0.1
Updated by Philippe Antoine over 2 years ago
- Related to Task #4180: libhtp 0.5.36 added
Updated by Victor Julien over 2 years ago
- Target version changed from 6.0.1 to 7.0.0-beta1
Updated by Philippe Antoine over 2 years ago
- Related to deleted (Task #4180: libhtp 0.5.36)
Updated by Philippe Antoine over 2 years ago
https://github.com/OISF/suricata/pull/5599 for 6.0.1
For 7 :
changing the handling in 7 would be good, but I'm not sure it should be optional.
Updated by Philippe Antoine over 2 years ago
https://github.com/OISF/suricata/pull/5614 merged for 6.0.1
Still work to do for 7
Updated by Philippe Antoine over 1 year ago
- Related to Task #4667: libhtp 0.5.39 added
Updated by Philippe Antoine 11 months ago
https://github.com/OISF/suricata/pull/6884 is latest PR to review
Updated by Victor Julien 5 months ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Philippe Antoine 4 months ago
- Status changed from In Review to Closed
Updated by Victor Julien about 2 months ago
- Status changed from Closed to In Review
- Priority changed from High to Normal
- Target version changed from 7.0.0-rc1 to 8.0beta1
Was accidentally closed. Postponing once more to give rule writers more time to update things on their end.