https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022020-02-22T15:28:32ZOpen Information Security FoundationSuricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=154022020-02-22T15:28:32ZSascha Steinbiss
<ul><li><strong>Affected Versions</strong> deleted (<del><i>5.0.3</i></del>)</li></ul><p>Just for the record, this actually should affect all versions.</p> Suricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=154462020-02-25T14:10:52ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Review</i></li><li><strong>Assignee</strong> set to <i>Sascha Steinbiss</i></li><li><strong>Target version</strong> set to <i>6.0.0beta1</i></li><li><strong>Affected Versions</strong> <i>5.0.0, 5.0.1, 5.0.2</i> added</li><li><strong>Label</strong> <i>Needs backport</i> added</li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/4581">https://github.com/OISF/suricata/pull/4581</a></p> Suricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=154582020-02-25T15:47:39ZJason Ishjason.ish@oisf.net
<ul></ul><blockquote>
<p>At the moment my patch does not preserve the trailing spaces in the parsed field. However, the patch would be even simpler if they would be kept in the parsed header fields. Not sure what might be the correct (or expected) way of handling this. (I'm inclined towards the latter).</p>
</blockquote>
<p>My take on reading the RFC is that the whitespace is not anomaly, and should be handled by implementations, so we should probably not preserve it in our eve output, as it may make it hard to group, etc on values.</p> Suricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=154602020-02-25T15:57:15ZSascha Steinbiss
<ul></ul><p>Jason Ish wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote><blockquote>
<p>At the moment my patch does not preserve the trailing spaces in the parsed field. However, the patch would be even simpler if they would be kept in the parsed header fields. Not sure what might be the correct (or expected) way of handling this. (I'm inclined towards the latter).</p>
</blockquote>
<p>My take on reading the RFC is that the whitespace is not anomaly, and should be handled by implementations, so we should probably not preserve it in our eve output, as it may make it hard to group, etc on values.</p>
</blockquote>
<p>True, Do we want to do the clipping at parse time, though, or at log time? I wonder if it might be helpful to be able to alert on additional whitespace as an indicator? Remembering <a class="external" href="https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/">https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/</a> where NanoHTTPD, the webserver used in Cobalt Strike's team servers, unintendedly returns a surplus whitespace in all its HTTP responses.</p> Suricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=155062020-03-05T10:29:05ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/4626">https://github.com/OISF/suricata/pull/4626</a></p> Suricata - Bug #3483: SIP: Input not parsed when header values contain trailing spaceshttps://redmine.openinfosecfoundation.org/issues/3483?journal_id=157562020-03-29T17:56:19ZJeff Lucovsky
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/3577">Bug #3577</a>: SIP: Input not parsed when header values contain trailing spaces</i> added</li></ul>