Support #2890: HTTP alert isn't triggered when writing ".." as part of the scanned URI - Suricata - Open Information Security Foundation

Actions

Copy link

Support #2890

closed

HTTP alert isn't triggered when writing ".." as part of the scanned URI

Added by Osqui LittleRiver almost 6 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Affected Versions:

4.1.3

Label:

Description

Hello.

I have a custom alert like this: alert http any any -> any 80 (msg:"blabla"; content:".."; http_uri; sid:1000000;)

When I run curl http://xxxx/.. (or curl http://xxxx/../.. or doing the same requests via browser) this alert isn't triggered (and Apache/nginx webserver returns index page)

I've done several tests. For instance, if I run curl https://xxxx/... (with three dots), then alert is triggered (and webserver gives a 404 error)
On the other hand, if I change the alert to this one: alert http any any -> any 80 (msg:"blabla"; content:"|2e 2e|"; http_raw_uri; buffer; sid:100000;) is triggered too, so it seems it's a http normalizer's fault
There's more information on these tests in https://pastebin.com/Yd7mhRsA

Thanks a lot to @Travis Green and @patstoms in #suricata IRC for give me a lot of help and point me to these clues

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #2890

HTTP alert isn't triggered when writing ".." as part of the scanned URI

Updated by David Wharton over 5 years ago

Updated by Osqui LittleRiver over 5 years ago

Updated by Victor Julien over 5 years ago