Actions
Bug #4248
openSuricata HTTP protocol resolves hostname exception
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,Suricata Team:
Suricata is parsing the following http request and there is an exception for hostname in the http request header. I’m not sure if this is a bug or not, but it seems to affect the normal analysis.
Suricata: 6.0.0 ~ 6.0.1
I used BurpSuite for testing, and from the HTTP event it is clear that the value of http.hostname is the value of http.url. However, the real hostname is in request_headers. {“name:” “Host”, “value”: “xx.yy.zz:58080”}
{
"timestamp": "2020-12-09T13:42:49.171420+0800",
"flow_id": 748011031979314,
"in_iface": "ens224",
"event_type": "http",
"src_ip": "218.94.92.98",
"src_port": 58947,
"dest_ip": "192.168.199.11",
"dest_port": 58080,
"proto": "TCP",
"tx_id": 0,
"http": {
"hostname": "scanme.io",
"url": "http://scanme.io",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 404,
"length": 469,
"request_headers": [
{
"name": "Host",
"value": "xx.yy.zz:58080"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
},
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Accept-Language",
"value": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7"
},
{
"name": "Connection",
"value": "close"
}
],
"response_headers": [
{
"name": "Server",
"value": "SimpleHTTP/0.6 Python/3.8.5"
},
{
"name": "Date",
"value": "Wed, 09 Dec 2020 05:42:49 GMT"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Type",
"value": "text/html;charset=utf-8"
},
{
"name": "Content-Length",
"value": "469"
}
]
}
}
Updated by Philippe Antoine almost 4 years ago
Could you share a pcap producing this behavior ?
Updated by Philippe Antoine 6 months ago
- Status changed from New to Feedback
- Target version set to TBD
Actions