https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022013-07-13T11:20:34ZOpen Information Security FoundationSuricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=31602013-07-13T11:20:34ZPeter Manevpetermanev@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/916">Content-length-bug-noxxi-de.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/916/Content-length-bug-noxxi-de.pcap">Content-length-bug-noxxi-de.pcap</a> added</li></ul><p>Another such pacp added.</p>
<p>This is from the actual tool/website testing site added - <a class="external" href="http://noxxi.de/research/dubious-content-length.html">http://noxxi.de/research/dubious-content-length.html</a><br />as reported by Will Metcalf.</p>
<p>Packet number 6 is one such case where the "Content-length" is 4891 but the actual data is 1448.</p>
<p>thanks</p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=31632013-07-13T12:04:07ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Interesting addition - <br />with the pcap file Content-length-bug-noxxi-de.pcap - from the actuall test web page, 1.4.3 alerts 25 times, like so</p>
<pre>
07/13/2013-11:46:03.824560 [**] [1:2221008:1] SURICATA HTTP invalid content length field in response [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.221.197.243:8001 -> 192.168.1.71:4153
07/13/2013-11:46:03.691918 [**] [1:2221008:1] SURICATA HTTP invalid content length field in response [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.221.197.243:8001 -> 192.168.1.71:4144
07/13/2013-11:46:03.835038 [**] [1:2221008:1] SURICATA HTTP invalid content length field in response [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.221.197.243:8001 -> 192.168.1.71:4154
07/13/2013-11:46:03.794177 [**] [1:2221010:1] SURICATA HTTP unable to match response to request [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.221.197.243:8001 -> 192.168.1.71:4148
</pre>
<p>but git master - 2.0dev (rev 73e27c1) - does not alert.</p>
<p>Thanks</p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=36142013-10-26T10:21:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=73542016-09-08T14:53:07ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li></ul> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=124072019-06-03T14:13:50ZPhilippe Antoine
<ul></ul><p>To me, the content length should now be handled fine after <a class="external" href="https://github.com/OISF/libhtp/commit/c0c87b4c560aae3850c7d90de1bdcb4fe966c9f0">https://github.com/OISF/libhtp/commit/c0c87b4c560aae3850c7d90de1bdcb4fe966c9f0</a><br />That means :<br />- duplicate content-length headers with same value<br />- duplicate content-length headers with different values (first one is then used as http evader showed us that was the case for browsers)<br />- less or more data than content-length (but these do not generate an alert about the content length)</p>
<p>From your examples, it looks like you are expecting an alert when a connection is interrupted before the whole content length could have been sent.<br />Is this the case ?</p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=124602019-06-06T11:40:50ZVictor Julienvictor@inliniac.net
<ul></ul><p>Philippe can you turn the pcaps into suricata-verify tests?</p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=129662019-07-12T13:21:18ZPhilippe Antoine
<ul></ul><p>Victor, to me, these are duplicates of the http evader cases (by the same person) <a class="external" href="https://noxxi.de/research/http-evader.html">https://noxxi.de/research/http-evader.html</a></p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=138362019-09-25T19:35:23ZVictor Julienvictor@inliniac.net
<ul></ul><p>So can this be closed <a class="user active user-mention" href="https://redmine.openinfosecfoundation.org/users/1820">@Philippe Antoine</a> ?</p> Suricata - Bug #849: Not alerting on invalid http request Content-Length https://redmine.openinfosecfoundation.org/issues/849?journal_id=195282021-03-11T09:39:48ZPhilippe Antoine
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Yes, closing !</p>