Project

General

Profile

Actions

Documentation #6781

closed

http keywords lacking information about values from duplicate headers being concatenated

Added by Brandon Murphy 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Context and Current Behavior

Currently there are three places within the documentation that explains a condition of normalized buffers having values from duplicate headers concatenated.

http.header

If there are multiple values for the same header name, they are concatenated with a comma and space (", ") between each of them. See RFC 2616 4.2 Message Headers. To avoid that, use the http.header.raw keyword.

http.user_agent

If a request contains multiple "User-Agent" headers, the values will be concatenated in the http.user_agent buffer, in the order seen from top to bottom, with a comma and space (", ") between each of them.

http.host

If a request contains multiple "Host" headers, the values will be concatenated in the http.host and http.host.raw buffers, in the order seen from top to bottom, with a comma and space (", ") between each of them.

However, it appears this behavior applies to more than just the noted keywords, as this behavior is also observed with http.content_type

I've attached a pcap that can be used to replicate this behavior, it can be tested with the following

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test for concatenated content_type"; flow:established,to_server; http.content_type; content:"text/html, image/gif"; sid:1;)

Expected Behavior

I believe the documents should be updated to include this reference on all keywords it applies to, or create a new section that covers this behavior and provides of a list of impacted keywords.


Files

11825c7829cba74.pcap (528 Bytes) 11825c7829cba74.pcap Brandon Murphy, 02/14/2024 07:03 PM
Actions #1

Updated by Brandon Murphy 5 months ago

  • Tracker changed from Bug to Documentation
Actions #2

Updated by Brandon Murphy 5 months ago

  • Description updated (diff)
Actions #3

Updated by Jason Taylor 5 months ago

  • Assignee changed from OISF Dev to Jason Taylor

Will tackle this after we see about getting #3025 updates merged in. I think this would be too much to include in that ticket but willing to include it if others think it would not be too much.

Actions #4

Updated by Jason Taylor 3 months ago

  • Status changed from New to In Progress
Actions #5

Updated by Juliana Fajardini Reichow 3 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #6

Updated by Jason Taylor 2 months ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF