Actions
Bug #7843
closedhttp: dissection anomaly on `Content-Encoding: identity`
Affected Versions:
Effort:
Difficulty:
Label:
Description
During an attack-defense CTF, I captured the following exchange between a Python HTTPX client and an ASP.NET server (behing a NGINX reverse-proxy).
GET /demo HTTP/1.1 Host: 10.1.128.1:1729 Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.28.1 Accept: text/event-stream content-type: application/json Cache-Control: no-store Authorization: Bearer REDACTED HTTP/1.1 200 OK Server: nginx/1.29.0 Date: Sat, 19 Jul 2025 13:09:05 GMT Content-Type: text/event-stream Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache,no-store Content-Encoding: identity REDACTED
Suricata generates the following anomaly:
{"app_proto":"http","type":"applayer","event":"ABNORMAL_CE_HEADER","layer":"proto_parser"}
Maybe `Content-Encoding: identity` should be allowed in Suricata if real-world servers are using it?
Some helpful context: https://github.com/mdn/content/issues/1964
Updated by Victor Julien about 2 months ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine about 1 month ago
- Status changed from New to In Review
- Target version changed from TBD to 8.0.1
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 7.0)
Updated by Philippe Antoine about 1 month ago
- Status changed from In Review to Resolved
Updated by Victor Julien 16 days ago
- Subject changed from HTTP dissection anomaly on `Content-Encoding: identity` to http: dissection anomaly on `Content-Encoding: identity`
Actions