Suricata

In attempting to create a signature for the attached pcap, I found an unexpected behavior in suricata 5.0.0+ as it relates to the http.header.raw/http_raw_header keywords. It appears given the provide pcap, the buffer is prematurely truncated as confirmed by sid:5; below matching on the shorted bsize of the buffer.

I have also confirmed this bug exists in the latest from git-master (6.0.0-dev (a2d91d9bf 2020-02-25))

# works fine with suri 4.1.5 but not suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; http_raw_header; sid:1;)

# doesn't work in suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; sid:2;)
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx"; sid:3;)

# works in suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|"; sid:4;)
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; bsize:14; content:"Server|3a 20 20 20 20 20 20 20|"; sid:5;)