Project

General

Profile

Actions
Copy link

Bug #3998

closed

HTTP2: invalid header anomaly

Added by David Beckett over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Low
Assignee:
Philippe Antoine
Target version:
6.0.0
Affected Versions:
6.0.0rc1
Effort:
Difficulty:
Label:

Description

I'm getting a HTTP invalid_header anomaly on instagram. The alert doesn't seem to appear too often and it's hard to actually trigger it, so it's a low priority bug.

I've attached a pcap

jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
21 "fileinfo"
24 "http"
31 "anomaly"

{"timestamp":"2020-10-05T07:04:51.102483-0400","flow_id":21414669293269,"pcap_cnt":276,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":17,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}} {"timestamp":"2020-10-05T07:05:06.816392-0400","flow_id":21414669293269,"pcap_cnt":306,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":23,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}}
...

Files

insta_inv_header.pcapng (1.61 MB) insta_inv_header.pcapng David Beckett, 10/05/2020 11:15 AM
Actions
Copy link

Also available in: Atom PDF