Support #8697
closedSuricata 8.0.5: http.host fails to match special characters (?, /, #) in HTTP Host header
Description
I encountered an issue in Suricata 8.0.5 RELEASE where http.host inspection does not correctly match special characters such as ?, /, or # in the Host header.
Test Traffic
POST /key/generate HTTP/1.1
Host: localhost/?x=1
Rules Used
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"localhost"; sid:2606261441;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"?"; sid:2606261442;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"/"; sid:2606261443;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"|2f|"; sid:2606261444;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;pcre:"/.*\x2f/"; sid:2606261445;)
Observed Behavior
Only rule sid:2606261441 (matching "localhost") triggers an alert.
All other rules fail to alert, even when I comment out sid:2606261441 and test the remaining rules individually.
Expected Behavior
Since the Host header clearly contains special characters (localhost/?x=1), rules matching "?", "/", "|2f|", or a PCRE containing \x2f should also trigger.
Issue Summary
It appears that Suricata 8.0.4 may be normalizing, stripping, or otherwise not exposing special characters in http.host for rule inspection. This results in http.host failing to match characters that are present in the raw Host header.
Request
Could you confirm whether this is a parsing limitation, a regression, or expected behavior?
If this is not expected, please consider treating this as a bug in http.host normalization or exposure.
Thanks!