Suricata

Context and Current Behavior¶

Currently there are three places within the documentation that explains a condition of normalized buffers having values from duplicate headers concatenated.

http.header

If there are multiple values for the same header name, they are concatenated with a comma and space (", ") between each of them. See RFC 2616 4.2 Message Headers. To avoid that, use the http.header.raw keyword.

http.user_agent

If a request contains multiple "User-Agent" headers, the values will be concatenated in the http.user_agent buffer, in the order seen from top to bottom, with a comma and space (", ") between each of them.

http.host

If a request contains multiple "Host" headers, the values will be concatenated in the http.host and http.host.raw buffers, in the order seen from top to bottom, with a comma and space (", ") between each of them.

However, it appears this behavior applies to more than just the noted keywords, as this behavior is also observed with http.content_type

I've attached a pcap that can be used to replicate this behavior, it can be tested with the following

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test for concatenated content_type"; flow:established,to_server; http.content_type; content:"text/html, image/gif"; sid:1;)

Expected Behavior¶

I believe the documents should be updated to include this reference on all keywords it applies to, or create a new section that covers this behavior and provides of a list of impacted keywords.