Support #2890
closedHTTP alert isn't triggered when writing ".." as part of the scanned URI
Description
Hello.
I have a custom alert like this: alert http any any -> any 80 (msg:"blabla"; content:".."; http_uri; sid:1000000;)
When I run curl http://xxxx/.. (or curl http://xxxx/../.. or doing the same requests via browser) this alert isn't triggered (and Apache/nginx webserver returns index page)
I've done several tests. For instance, if I run curl https://xxxx/... (with three dots), then alert is triggered (and webserver gives a 404 error)
On the other hand, if I change the alert to this one: alert http any any -> any 80 (msg:"blabla"; content:"|2e 2e|"; http_raw_uri; buffer; sid:100000;) is triggered too, so it seems it's a http normalizer's fault
There's more information on these tests in https://pastebin.com/Yd7mhRsA
Thanks a lot to @Travis Green and @patstoms in #suricata IRC for give me a lot of help and point me to these clues