Support #8697
closedSuricata 8.0.5: http.host fails to match special characters (?, /, #) in HTTP Host header
Description
I encountered an issue in Suricata 8.0.5 RELEASE where http.host inspection does not correctly match special characters such as ?, /, or # in the Host header.
Test Traffic
POST /key/generate HTTP/1.1
Host: localhost/?x=1
Rules Used
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"localhost"; sid:2606261441;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"?"; sid:2606261442;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"/"; sid:2606261443;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"|2f|"; sid:2606261444;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;pcre:"/.*\x2f/"; sid:2606261445;)
Observed Behavior
Only rule sid:2606261441 (matching "localhost") triggers an alert.
All other rules fail to alert, even when I comment out sid:2606261441 and test the remaining rules individually.
Expected Behavior
Since the Host header clearly contains special characters (localhost/?x=1), rules matching "?", "/", "|2f|", or a PCRE containing \x2f should also trigger.
Issue Summary
It appears that Suricata 8.0.4 may be normalizing, stripping, or otherwise not exposing special characters in http.host for rule inspection. This results in http.host failing to match characters that are present in the raw Host header.
Request
Could you confirm whether this is a parsing limitation, a regression, or expected behavior?
If this is not expected, please consider treating this as a bug in http.host normalization or exposure.
Thanks!
SB Updated by Shivani Bhardwaj 2 days ago
Thanks for the report! http.host is indeed normalized. Have you tried http.host.raw ? See: https://docs.suricata.io/en/suricata-8.0.5/rules/http-keywords.html#http-host-raw
JC Updated by jghs chha 2 days ago
Shivani Bhardwaj wrote in #note-1:
Thanks for the report!
http.hostis indeed normalized. Have you triedhttp.host.raw? See: https://docs.suricata.io/en/suricata-8.0.5/rules/http-keywords.html#http-host-raw
yep! http.host.raw works well. thanks your work!
SB Updated by Shivani Bhardwaj 2 days ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
- Assignee set to Shivani Bhardwaj
- Target version deleted (
TBD) - Effort deleted (
high)