Bug #6547: HTTP/2 - http.response_line has leading space - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6547

closed

HTTP/2 - http.response_line has leading space

Added by Brandon Murphy 6 months ago. Updated 5 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, git master

Effort:

Difficulty:

Label:

Description

Consider the following following which triggers on a HTTP/2 200 response

alert http2 any any -> any any (msg:"test"; http.response_line; bsize:13; content:"|20|HTTP/2 200|0d 0a|";)

It appears to have been caused by this line
https://github.com/OISF/suricata/blob/68a2fcaad3abcd503246feca730dc2da1ff91af2/rust/src/http2/detect.rs#L548

    resp_line.extend(b" HTTP/2 ");
    resp_line.extend(status);
    resp_line.extend(b"\r\n");
    tx.resp_line.extend(resp_line)
}

I'm not 100% sure if this was intentional, if so I fail to understand the use case. I'm guessing it was a copy/paste from the request_line which did require this additional space.

Subtasks 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #6547

HTTP/2 - http.response_line has leading space

Updated by Victor Julien 6 months ago

Updated by Victor Julien 6 months ago

Updated by Philippe Antoine 6 months ago

Updated by OISF Ticketbot 6 months ago

Updated by OISF Ticketbot 6 months ago

Updated by Philippe Antoine 5 months ago

Updated by Philippe Antoine 5 months ago