Project

General

Profile

Actions

Bug #6547

closed

HTTP/2 - http.response_line has leading space

Added by Brandon Murphy about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Consider the following following which triggers on a HTTP/2 200 response

alert http2 any any -> any any (msg:"test"; http.response_line; bsize:13; content:"|20|HTTP/2 200|0d 0a|";)

It appears to have been caused by this line
https://github.com/OISF/suricata/blob/68a2fcaad3abcd503246feca730dc2da1ff91af2/rust/src/http2/detect.rs#L548

    resp_line.extend(b" HTTP/2 ");
    resp_line.extend(status);
    resp_line.extend(b"\r\n");
    tx.resp_line.extend(resp_line)
}

I'm not 100% sure if this was intentional, if so I fail to understand the use case. I'm guessing it was a copy/paste from the request_line which did require this additional space.


Subtasks 1 (0 open1 closed)

Bug #6558: HTTP/2 - http.response_line has leading space (7.0.x backport)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF