Project

General

Profile

Actions

Bug #3504

closed

http.header.raw prematurely truncates in some conditions

Added by Brandon Murphy almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport

Description

In attempting to create a signature for the attached pcap, I found an unexpected behavior in suricata 5.0.0+ as it relates to the http.header.raw/http_raw_header keywords. It appears given the provide pcap, the buffer is prematurely truncated as confirmed by sid:5; below matching on the shorted bsize of the buffer.

I have also confirmed this bug exists in the latest from git-master (6.0.0-dev (a2d91d9bf 2020-02-25))

# works fine with suri 4.1.5 but not suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; http_raw_header; sid:1;)

# doesn't work in suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; sid:2;)
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx"; sid:3;)

# works in suri5
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|"; sid:4;)
alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; bsize:14; content:"Server|3a 20 20 20 20 20 20 20|"; sid:5;)


Files

http_raw_header_bug.pcap (4.56 KB) http_raw_header_bug.pcap Brandon Murphy, 02/25/2020 05:46 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3798: http.header.raw prematurely truncates in some conditionsClosedAngelo MirabellaActions
Actions #1

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from New to In Review
  • Label Needs backport added
Actions #2

Updated by Jeff Lucovsky over 4 years ago

  • Assignee set to Angelo Mirabella
Actions #3

Updated by Victor Julien over 4 years ago

  • Target version set to 6.0.0beta1
Actions #4

Updated by Victor Julien over 4 years ago

  • Status changed from In Review to Closed
Actions #5

Updated by Victor Julien over 4 years ago

  • Copied to Bug #3798: http.header.raw prematurely truncates in some conditions added
Actions

Also available in: Atom PDF