Documentation #6781
closedhttp keywords lacking information about values from duplicate headers being concatenated
Description
Context and Current Behavior¶
Currently there are three places within the documentation that explains a condition of normalized buffers having values from duplicate headers concatenated.
http.header
If there are multiple values for the same header name, they are concatenated with a comma and space (", ") between each of them. See RFC 2616 4.2 Message Headers. To avoid that, use the http.header.raw keyword.
http.user_agent
If a request contains multiple "User-Agent" headers, the values will be concatenated in the http.user_agent buffer, in the order seen from top to bottom, with a comma and space (", ") between each of them.
http.host
If a request contains multiple "Host" headers, the values will be concatenated in the http.host and http.host.raw buffers, in the order seen from top to bottom, with a comma and space (", ") between each of them.
However, it appears this behavior applies to more than just the noted keywords, as this behavior is also observed with http.content_type
I've attached a pcap that can be used to replicate this behavior, it can be tested with the following
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test for concatenated content_type"; flow:established,to_server; http.content_type; content:"text/html, image/gif"; sid:1;)
Expected Behavior¶
I believe the documents should be updated to include this reference on all keywords it applies to, or create a new section that covers this behavior and provides of a list of impacted keywords.
Files
Updated by Brandon Murphy 9 months ago
- Tracker changed from Bug to Documentation
Updated by Jason Taylor 9 months ago
- Assignee changed from OISF Dev to Jason Taylor
Will tackle this after we see about getting #3025 updates merged in. I think this would be too much to include in that ticket but willing to include it if others think it would not be too much.
Updated by Jason Taylor 7 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 7 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Jason Taylor 7 months ago
- Status changed from In Progress to Closed