Actions
Bug #3504
closedhttp.header.raw prematurely truncates in some conditions
Description
In attempting to create a signature for the attached pcap, I found an unexpected behavior in suricata 5.0.0+ as it relates to the http.header.raw/http_raw_header keywords. It appears given the provide pcap, the buffer is prematurely truncated as confirmed by sid:5; below matching on the shorted bsize of the buffer.
I have also confirmed this bug exists in the latest from git-master (6.0.0-dev (a2d91d9bf 2020-02-25))
# works fine with suri 4.1.5 but not suri5 alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; http_raw_header; sid:1;) # doesn't work in suri5 alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx|28|"; sid:2;) alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|Yx"; sid:3;) # works in suri5 alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; content:"Server|3a 20 20 20 20 20 20 20|"; sid:4;) alert http $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; http.header.raw; bsize:14; content:"Server|3a 20 20 20 20 20 20 20|"; sid:5;)
Files
Actions