Project

General

Profile

Actions
Copy link

Feature #5746

closed

http.connection - allow in server response

Added by Brandon Murphy 10 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.0-rc2
Effort:
Difficulty:
Label:

Description

Currently when using http.connection in combination with "to_client" produces the following error

Problem starting Suricata daemon: 7/12/2022 -- 19:57:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 1 mixes keywords with conflicting directions

however, for whatever reason, the connection header is often observed in the HTTP Server Response.

This limitation forces the use of http.header to match on the Connection header instead of using the more specific buffer.

Files

out.pcap (1.19 KB) out.pcap Brandon Murphy, 12/08/2022 03:49 AM
Actions
Copy link
 #1

Updated by Victor Julien 10 months ago

Can you share a pcap / SV test for a connection with connection header in to client direction?

Actions
Copy link
 #2

Updated by Brandon Murphy 10 months ago

You betcha! Attached is a pcap of a wget to a benign site which exhibits this same behavior.

Actions
Copy link
 #3

Updated by Victor Julien 6 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 7.0.0-rc2
Actions
Copy link
 #4

Updated by Philippe Antoine 6 months ago

  • Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/8644

Tested non out.pcap with alert tcp any any -> any any (msg:"tfo test15"; flow: to_client; http.connection; content:"close"; sid:15;)

Actions
Copy link
 #5

Updated by Victor Julien 5 months ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF