Project

General

Profile

Actions

Bug #4248

open

Suricata HTTP protocol resolves hostname exception

Added by xu hui almost 4 years ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,Suricata Team:
Suricata is parsing the following http request and there is an exception for hostname in the http request header. I’m not sure if this is a bug or not, but it seems to affect the normal analysis.

Suricata: 6.0.0 ~ 6.0.1

I used BurpSuite for testing, and from the HTTP event it is clear that the value of http.hostname is the value of http.url. However, the real hostname is in request_headers. {“name:” “Host”, “value”: “xx.yy.zz:58080”}

{
    "timestamp": "2020-12-09T13:42:49.171420+0800",
    "flow_id": 748011031979314,
    "in_iface": "ens224",
    "event_type": "http",
    "src_ip": "218.94.92.98",
    "src_port": 58947,
    "dest_ip": "192.168.199.11",
    "dest_port": 58080,
    "proto": "TCP",
    "tx_id": 0,
    "http": {
        "hostname": "scanme.io",
        "url": "http://scanme.io",
        "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
        "http_content_type": "text/html",
        "http_method": "GET",
        "protocol": "HTTP/1.1",
        "status": 404,
        "length": 469,
        "request_headers": [
            {
                "name": "Host",
                "value": "xx.yy.zz:58080" 
            },
            {
                "name": "Upgrade-Insecure-Requests",
                "value": "1" 
            },
            {
                "name": "User-Agent",
                "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" 
            },
            {
                "name": "Accept",
                "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" 
            },
            {
                "name": "Accept-Encoding",
                "value": "gzip, deflate" 
            },
            {
                "name": "Accept-Language",
                "value": "zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7" 
            },
            {
                "name": "Connection",
                "value": "close" 
            }
        ],
        "response_headers": [
            {
                "name": "Server",
                "value": "SimpleHTTP/0.6 Python/3.8.5" 
            },
            {
                "name": "Date",
                "value": "Wed, 09 Dec 2020 05:42:49 GMT" 
            },
            {
                "name": "Connection",
                "value": "close" 
            },
            {
                "name": "Content-Type",
                "value": "text/html;charset=utf-8" 
            },
            {
                "name": "Content-Length",
                "value": "469" 
            }
        ]
    }
}
Actions #1

Updated by Philippe Antoine almost 4 years ago

Could you share a pcap producing this behavior ?

Actions #2

Updated by Philippe Antoine 6 months ago

  • Status changed from New to Feedback
  • Target version set to TBD
Actions #3

Updated by Philippe Antoine 6 months ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF