Project

General

Profile

Actions

Bug #2881

closed

http.protocol parsing inaccuracy : accept spaces in URI

Added by chris lujan over 5 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

Request:

GET /uid=0(root) gid=0(root) groups=0(root)asdf HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*

eve.json output:
"http":{"protocol":"gid=0(root) groups=0(root)asdf HTTP\/1.1"}

It appears that the http.protocol is matching too greedily with the space character and could use something like /\S+$/m instead.


Files

b8ee56effed96ba.pcap (467 Bytes) b8ee56effed96ba.pcap Brandon Murphy, 06/15/2023 04:53 PM

Related issues 3 (0 open3 closed)

Related to Suricata - Task #3479: libhtp 0.5.33 (4.1.x)ClosedPhilippe AntoineActions
Related to Suricata - Task #3922: libhtp 0.5.35ClosedPhilippe AntoineActions
Related to Suricata - Task #4667: libhtp 0.5.39ClosedVictor JulienActions
Actions

Also available in: Atom PDF