Project

General

Profile

Actions

Bug #849

closed

Not alerting on invalid http request Content-Length

Added by Peter Manev almost 11 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the pcaps atatched
1) - http-events-abnormal-No-Content-Length.pcap
2) - http-events-abnormal-Invalid-Content-Length.pcap
3) - InvalidContentLengthApacheResponse.pcap
4) - ValidContentLengthApacheResponse.pcap

- 2) is with invalid content lenght - "Content-Length: 2040\r\n" added to the http request, packet 4.
- 1) is with the valid content length

In situation 2) wireshark does not recognize the http request - just recognizes it as valid TCP segment , which would be correct I think, since the content length is invalid.
Suricata recognizes 2) as a http request.

It is the exact same situation if the same is mirror but for the http response.

However the rules :

alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in request"; flow:established,to_server; app-layer-event:http.invalid_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221007; rev:1;)

alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in response"; flow:established,to_client; app-layer-event:http.invalid_content_length_field_in_response; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221008; rev:1;)


From http-events.rules do not generate an alert (or any of the rules in http-events.rules for that matter) in either respective case (request or response).

3) and 4) are the same case but real cases against Apache web server

Does not alert with 2.0dev (rev 5157ce1) or 1.4.3 or 2.0dev (rev cd7b4fa - latest git master )

Running Suri with:

suricata -c /etc/suricata/suricata.yaml -S /http-events.rules -r /root/Work/suricata/BUG/InvalidContentLength/http-events-abnormal-Invalid-Content-Length.pcap  --runmode=single

Thanks


Files

ContentLengthCaps.tar.gz (2.13 KB) ContentLengthCaps.tar.gz Peter Manev, 07/03/2013 07:42 AM
Content-length-bug-noxxi-de.pcap (94 KB) Content-length-bug-noxxi-de.pcap Peter Manev, 07/13/2013 11:19 AM
Actions

Also available in: Atom PDF