Project

General

Profile

Actions

Feature #6425

closed

HTTP/2 - new app-layer-event when `:authority` and `host` headers do not match

Added by Brandon Murphy about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

as perf RFC 9113 (HTTP/2)

A server SHOULD treat a request as malformed if it contains a Host header field that identifies an entity that differs from the entity in the ":authority" pseudo-header field. The values of fields need to be normalized to compare them (see Section 6.2 of [RFC3986]).

I am requesting a new app-layer-event be created to alert on this condition occurring.


Files

authority_and_host_2.pcap (1.12 KB) authority_and_host_2.pcap Brandon Murphy, 10/30/2023 01:14 PM

Subtasks 1 (0 open1 closed)

Feature #6429: HTTP/2 - new app-layer-event when `:authority` and `host` headers do not match (6.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #6424: HTTP/2 - http.host behavior when both :authority pseudo header and host header are presentFeedbackOISF DevActions
Actions #1

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 7.0.3
  • Label Needs backport to 6.0 added

Brandon, do you have a pcap for this we can use in a SV test?

Actions #2

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6429 added
Actions #3

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #4

Updated by Brandon Murphy about 1 year ago

Attached pcap of this occurring

Actions #5

Updated by Victor Julien about 1 year ago

Thanks Brandon!

Actions #6

Updated by Philippe Antoine about 1 year ago

  • Status changed from Assigned to In Review
Actions #7

Updated by Philippe Antoine about 1 year ago

  • Status changed from In Review to Resolved
Actions #8

Updated by Philippe Antoine about 1 year ago

  • Status changed from Resolved to Closed
Actions #9

Updated by Philippe Antoine 11 months ago

  • Related to Feature #6424: HTTP/2 - http.host behavior when both :authority pseudo header and host header are present added
Actions

Also available in: Atom PDF