Project

General

Profile

Actions

Bug #6736

closed

http.request_header and http.response_header behavior with HTTP1 traffic

Added by Jason Taylor 3 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.

Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.


Files

http.request_response_header.pcap (1.36 KB) http.request_response_header.pcap Jason Taylor, 02/05/2024 10:15 PM

Related issues 2 (0 open2 closed)

Related to Suricata - Security #6441: detect: heap use after free with http.request_header keywordClosedPhilippe AntoineActions
Related to Suricata - Bug #6483: http.request_headers - odd behavior with multiple signtures ClosedPhilippe AntoineActions
Actions #1

Updated by Jason Taylor 3 months ago

Jason Taylor wrote:

I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.

Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.

Signature examples for the attached pcap that do not fire:

alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)

alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)

Signature examples for the attached pcap that fire alerts:

alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)

alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Date|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)

Actions #2

Updated by Jason Taylor 3 months ago

  • File deleted (73a47bb9bcb1e285e63a1082a9711c73-2.pcap)
Actions #4

Updated by Jason Taylor 3 months ago

As a side note, I was looking for suricata-verify tests for HTTP1 traffic for the http.request_header and http.response_header keywords and didn't see any. I can submit a PR for some tests if that would be wanted.

Actions #5

Updated by Victor Julien 2 months ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 7.0.3

This has been fixed in 7.0.3 as part of work around #6441.

Actions #6

Updated by Victor Julien 2 months ago

  • Related to Security #6441: detect: heap use after free with http.request_header keyword added
Actions #7

Updated by Victor Julien 2 months ago

@Jason Taylor a SV test would be most welcome!

Actions #8

Updated by Victor Julien 2 months ago

  • Affected Versions 7.0.1, 7.0.2 added
Actions #9

Updated by Brandon Murphy 2 months ago

Victor Julien wrote in #note-5:

This has been fixed in 7.0.3 as part of work around #6441.

is 6441 a private issue? I get a 403 when accessing it.

Actions #10

Updated by Philippe Antoine 2 months ago

Yes #6441 is a private issue

See https://github.com/OISF/suricata-verify/pull/1637 with the pcap and rules from this ticket

Actions #11

Updated by Philippe Antoine 2 months ago

  • Related to Bug #6483: http.request_headers - odd behavior with multiple signtures added
Actions

Also available in: Atom PDF