Project

General

Profile

Actions

Bug #7843

open

HTTP dissection anomaly on `Content-Encoding: identity`

Added by A. IOOSS 25 days ago. Updated 7 days ago.

Status:
Resolved
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

During an attack-defense CTF, I captured the following exchange between a Python HTTPX client and an ASP.NET server (behing a NGINX reverse-proxy).

GET /demo HTTP/1.1
Host: 10.1.128.1:1729
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: python-httpx/0.28.1
Accept: text/event-stream
content-type: application/json
Cache-Control: no-store
Authorization: Bearer REDACTED

HTTP/1.1 200 OK
Server: nginx/1.29.0
Date: Sat, 19 Jul 2025 13:09:05 GMT
Content-Type: text/event-stream
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache,no-store
Content-Encoding: identity

REDACTED

Suricata generates the following anomaly:

{"app_proto":"http","type":"applayer","event":"ABNORMAL_CE_HEADER","layer":"proto_parser"}

Maybe `Content-Encoding: identity` should be allowed in Suricata if real-world servers are using it?

Some helpful context: https://github.com/mdn/content/issues/1964


Subtasks 1 (1 open0 closed)

Bug #7862: HTTP dissection anomaly on `Content-Encoding: identity` (7.0.x backport)ResolvedPhilippe AntoineActions
Actions #1

Updated by A. IOOSS 25 days ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien 24 days ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions #3

Updated by Philippe Antoine 11 days ago

  • Label Needs backport to 7.0 added
Actions #4

Updated by Philippe Antoine 11 days ago

  • Status changed from New to In Review
  • Target version changed from TBD to 8.0.1
Actions #5

Updated by OISF Ticketbot 11 days ago

  • Subtask #7862 added
Actions #6

Updated by OISF Ticketbot 11 days ago

  • Label deleted (Needs backport to 7.0)
Actions #7

Updated by Philippe Antoine 7 days ago

  • Status changed from In Review to Resolved
Actions

Also available in: Atom PDF