Project

General

Profile

Actions

Bug #6547

closed

HTTP/2 - http.response_line has leading space

Added by Brandon Murphy about 1 year ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Consider the following following which triggers on a HTTP/2 200 response

alert http2 any any -> any any (msg:"test"; http.response_line; bsize:13; content:"|20|HTTP/2 200|0d 0a|";)

It appears to have been caused by this line
https://github.com/OISF/suricata/blob/68a2fcaad3abcd503246feca730dc2da1ff91af2/rust/src/http2/detect.rs#L548

    resp_line.extend(b" HTTP/2 ");
    resp_line.extend(status);
    resp_line.extend(b"\r\n");
    tx.resp_line.extend(resp_line)
}

I'm not 100% sure if this was intentional, if so I fail to understand the use case. I'm guessing it was a copy/paste from the request_line which did require this additional space.


Subtasks 1 (0 open1 closed)

Bug #6558: HTTP/2 - http.response_line has leading space (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine
  • Priority changed from Normal to High
  • Label Needs backport to 7.0 added

Looks like a bug indeed.

Actions #2

Updated by Victor Julien about 1 year ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #3

Updated by Philippe Antoine 12 months ago

  • Status changed from Assigned to In Review
Actions #4

Updated by OISF Ticketbot 12 months ago

  • Subtask #6558 added
Actions #5

Updated by OISF Ticketbot 12 months ago

  • Label deleted (Needs backport to 7.0)
Actions #6

Updated by Philippe Antoine 11 months ago

  • Status changed from In Review to Resolved
Actions #7

Updated by Philippe Antoine 11 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF