https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022013-10-15T03:59:36ZOpen Information Security FoundationSuricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=35072013-10-15T03:59:36ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>2.0beta2</i> to <i>2.0rc2</i></li></ul><p>The event system in libhtp still has to be created. Upstream ideas on this are here <a class="external" href="https://github.com/ironbee/libhtp/wiki/Events">https://github.com/ironbee/libhtp/wiki/Events</a></p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=40812014-02-25T13:47:25ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Target version</strong> changed from <i>2.0rc2</i> to <i>3.0RC2</i></li></ul> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=47492014-11-05T04:50:27ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>3.0RC2</i> to <i>70</i></li></ul> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=68562016-05-28T06:07:32ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>Anoop Saldanha</i> to <i>OISF Dev</i></li></ul> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=117802019-04-08T12:15:51ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Philippe Antoine</i></li></ul><p>As a first step, I think we should review which of the warning/error messages are not yet connected to a Suricata event.</p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=119892019-05-06T09:22:47ZPhilippe Antoine
<ul></ul><p>Here are the interesting log messages for which there are no events<br />"Request buffer over the limit: size %zd limit %zd." <br />"Response buffer over the limit: size %zd limit %zd." <br />"C-T multipart/byteranges in responses not supported" <br />"Transfer-encoding has abnormal chunked value" <br />"Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0" <br />"Invalid response line: invalid protocol" <br />"Invalid response line: invalid response status %d." <br />"Request line incomplete"</p>
<p>In addition to that, <br />There is a message in libhtp which I think is dead code in htp_transaction.c<br />"[Internal Error] Invalid tx->response_content_encoding_processing value: %d"</p>
<p>And there are log messages which result from a wrong use of libhtp and are not reached by Suricata.</p>
<p>Should I go and create the Suricata events for the first list ?</p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=119942019-05-07T11:14:56ZVictor Julienvictor@inliniac.net
<ul></ul><p>Sounds great, lets go with this list.</p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=120422019-05-14T07:20:06ZPhilippe Antoine
<ul></ul><p>Should we really raise an event for multipart/byterange responses ?<br />These are regular responses that we should rather parse...<br />What do you think ?</p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=120442019-05-15T05:07:16ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think we should be able to match on it, but not enable a rule for it by default. Byte range support itself is tracked in <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: http: byte-range support (Closed)" href="https://redmine.openinfosecfoundation.org/issues/1576">#1576</a></p> Suricata - Feature #997: Add libhtp event for every htp_log() that needs an event.https://redmine.openinfosecfoundation.org/issues/997?journal_id=120882019-05-20T06:21:20ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>70</i> to <i>5.0rc1</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/3861">https://github.com/OISF/suricata/pull/3861</a></p>