Project

General

Profile

Actions

Bug #2881

open

http.protocol parsing inaccuracy

Added by chris lujan over 2 years ago. Updated 10 months ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

Request:

GET /uid=0(root) gid=0(root) groups=0(root)asdf HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*

eve.json output:
"http":{"protocol":"gid=0(root) groups=0(root)asdf HTTP\/1.1"}

It appears that the http.protocol is matching too greedily with the space character and could use something like /\S+$/m instead.


Related issues

Related to Task #3479: libhtp 0.5.33 (4.1.x)ClosedPhilippe AntoineActions
Related to Task #3922: libhtp 0.5.35ClosedPhilippe AntoineActions
Related to Task #4667: libhtp 0.5.39NewVictor JulienActions
Actions #1

Updated by chris lujan over 2 years ago

Conversely, the http.url field is only matching up until the first space resulting in something like:

"http":{"url":"/uid=0(root)"}

which leads me to believe those fields are created by splitting the line by spaces.

Actions #2

Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to TBD
Actions #3

Updated by Victor Julien over 2 years ago

I think uri's are not supposed to have spaces, but I think it would be good to address this anyway.

Actions #4

Updated by Philippe Antoine over 2 years ago

Thanks Chris.
Indeed, Uris are not supposed to have spaces, but the protocol field is even less supposed to have spaces.
So I think we can take the last space in the request line as the uri end, instead of the second one.

Actions #5

Updated by Philippe Antoine over 1 year ago

  • Related to Task #3479: libhtp 0.5.33 (4.1.x) added
Actions #6

Updated by Philippe Antoine over 1 year ago

  • Status changed from Assigned to In Review
Actions #7

Updated by Philippe Antoine over 1 year ago

  • Target version changed from TBD to 6.0.0beta1
Actions #8

Updated by Philippe Antoine about 1 year ago

Actions #9

Updated by Victor Julien about 1 year ago

  • Target version changed from 6.0.0beta1 to 6.0.0rc1
Actions #10

Updated by Victor Julien about 1 year ago

  • Target version changed from 6.0.0rc1 to 7.0rc1
Actions #11

Updated by Victor Julien about 1 year ago

Actions #12

Updated by Philippe Antoine about 1 year ago

Actions #13

Updated by Philippe Antoine 10 months ago

  • Target version changed from 7.0rc1 to 6.0.1
Actions #14

Updated by Philippe Antoine 10 months ago

Actions #15

Updated by Victor Julien 10 months ago

  • Target version changed from 6.0.1 to 7.0rc1
Actions #16

Updated by Philippe Antoine 10 months ago

Actions #17

Updated by Philippe Antoine 10 months ago

https://github.com/OISF/suricata/pull/5599 for 6.0.1

For 7 :
changing the handling in 7 would be good, but I'm not sure it should be optional.

Actions #18

Updated by Philippe Antoine 10 months ago

https://github.com/OISF/suricata/pull/5614 merged for 6.0.1

Still work to do for 7

Actions #19

Updated by Philippe Antoine 11 days ago

Actions

Also available in: Atom PDF