Project

General

Profile

Actions

Bug #6479

closed

HTTP/2 - when userinfo is in the :authority pseudo header it breaks http.host

Added by Brandon Murphy about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When testing the the normalized http.host field when userinfo is included in the :authority pseudo header, only the username field makes it into the http.host buffer.

Sids 2 and 3 fire on the attached pcap.

alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; content:"username|3a|password"; sid:1;)
alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; content:"username"; sid:2;)
alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; bsize:8; content:"username"; sid:3;)

I shouldn't be trusted to read this, but I think this section of code is extracting anything "up to" the first colon in the authority?

https://github.com/OISF/suricata/blob/c8a7204b159553d338a6294218e696a72efdb4db/rust/src/http2/detect.rs#L617-L624

thus resulting in the "username" value making it to http.host;

Expected Behavior: the userinfo should be removed all together, but left in http.host.raw.


Files

http2_userinfo_in_authority_1.pcap (1.05 KB) http2_userinfo_in_authority_1.pcap Brandon Murphy, 11/09/2023 01:01 PM
Actions

Also available in: Atom PDF