Actions
Bug #4615
closedMultiple identical request headers will not be detected by signatures, causing attacks to bypass
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
I write the signature: alert http any any -> any any (msg:"Header Attack";flow:established,to_server;content:"TEST:|20|evil";nocase;http_header;sid:1;rev:1;)
Start suricata listening network card: `suricata -c suricata.yaml -s signatures.rules -i enp0s3`
I send the following request messageļ¼
The attack was discovered
But when I bypassed the attack through the same request header, Suricata did not detect the attack payload.
This will cause the attack payload to bypass Suricata. Similarly, many exploits passed the attack payload through the HTTP request header. This bypass method will cause a lot of trouble.
Best Regards.
Files
Actions