Bug #6736
closedhttp.request_header and http.response_header behavior with HTTP1 traffic
Description
I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.
Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.
Files
Updated by Jason Taylor 10 months ago
Jason Taylor wrote:
I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.
Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.
Signature examples for the attached pcap that do not fire:
alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)
alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)
Signature examples for the attached pcap that fire alerts:
alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)
alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Date|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)
Updated by Jason Taylor 10 months ago
- File deleted (
73a47bb9bcb1e285e63a1082a9711c73-2.pcap)
Updated by Jason Taylor 10 months ago
Updated by Jason Taylor 10 months ago
As a side note, I was looking for suricata-verify tests for HTTP1 traffic for the http.request_header and http.response_header keywords and didn't see any. I can submit a PR for some tests if that would be wanted.
Updated by Victor Julien 9 months ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 7.0.3
This has been fixed in 7.0.3 as part of work around #6441.
Updated by Victor Julien 9 months ago
- Related to Security #6441: detect: heap use after free with http.request_header keyword added
Updated by Victor Julien 9 months ago
@Jason Taylor a SV test would be most welcome!
Updated by Philippe Antoine 9 months ago
Yes #6441 is a private issue
See https://github.com/OISF/suricata-verify/pull/1637 with the pcap and rules from this ticket
Updated by Philippe Antoine 9 months ago
- Related to Bug #6483: http.request_headers - odd behavior with multiple signtures added