Project

General

Profile

Actions
Copy link

Bug #7843

open

HTTP dissection anomaly on `Content-Encoding: identity`

Added by A. IOOSS 5 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
TBD
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

During an attack-defense CTF, I captured the following exchange between a Python HTTPX client and an ASP.NET server (behing a NGINX reverse-proxy).

GET /demo HTTP/1.1
Host: 10.1.128.1:1729
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: python-httpx/0.28.1
Accept: text/event-stream
content-type: application/json
Cache-Control: no-store
Authorization: Bearer REDACTED

HTTP/1.1 200 OK
Server: nginx/1.29.0
Date: Sat, 19 Jul 2025 13:09:05 GMT
Content-Type: text/event-stream
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache,no-store
Content-Encoding: identity

REDACTED

Suricata generates the following anomaly: 

{"app_proto":"http","type":"applayer","event":"ABNORMAL_CE_HEADER","layer":"proto_parser"}

Maybe `Content-Encoding: identity` should be allowed in Suricata if real-world servers are using it?

Some helpful context: https://github.com/mdn/content/issues/1964

Actions
Copy link
 #1

Updated by A. IOOSS 5 days ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Victor Julien 4 days ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions
Copy link

Also available in: Atom PDF