Project

General

Profile

Actions

Support #8697

closed
JC SB

Suricata 8.0.5: http.host fails to match special characters (?, /, #) in HTTP Host header

Support #8697: Suricata 8.0.5: http.host fails to match special characters (?, /, #) in HTTP Host header

Added by jghs chha 2 days ago. Updated 2 days ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

I encountered an issue in Suricata 8.0.5 RELEASE where http.host inspection does not correctly match special characters such as ?, /, or # in the Host header.

Test Traffic

POST /key/generate HTTP/1.1
Host: localhost/?x=1

Rules Used

alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"localhost"; sid:2606261441;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"?"; sid:2606261442;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"/"; sid:2606261443;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;content:"|2f|"; sid:2606261444;)
alert http any any -> any any (msg:"HTTP_Host_Test";flow:to_server,established;http.host;pcre:"/.*\x2f/"; sid:2606261445;)

Observed Behavior
Only rule sid:2606261441 (matching "localhost") triggers an alert.

All other rules fail to alert, even when I comment out sid:2606261441 and test the remaining rules individually.

Expected Behavior
Since the Host header clearly contains special characters (localhost/?x=1), rules matching "?", "/", "|2f|", or a PCRE containing \x2f should also trigger.

Issue Summary
It appears that Suricata 8.0.4 may be normalizing, stripping, or otherwise not exposing special characters in http.host for rule inspection. This results in http.host failing to match characters that are present in the raw Host header.

Request
Could you confirm whether this is a parsing limitation, a regression, or expected behavior?
If this is not expected, please consider treating this as a bug in http.host normalization or exposure.

Thanks!

Actions

Also available in: PDF Atom