Bug #418
Updated by Victor Julien over 12 years ago
To avoid confusion with actual escaped characters this function should escape stray backslashes. Example: <pre> nc www.openinfosecfoundation.org 80 GET /foo/\x80 HTTP/1.0 HTTP/1.1 404 Not Found Date: Fri, 02 Mar 2012 19:41:33 GMT Server: Content-Length: 206 Connection: close Content-Type: text/html; charset=iso-8859-1 </pre> In Suricata this request will look like this in the http.log. <pre> 03/02/2012-14:24:34.652663 <hostname unknown> [**] /foo/\x80 [**] <useragent unknown> [**] <no referer> [**] GET [**] HTTP/1.0 [**] 404 [**] 206 bytes [**].... </pre> Similar request in an Apache log.. <pre> 127.0.0.1 - - [01/Feb/2012:09:23:52 -0600] "GET /foo/\\x80 HTTP/1.0" 404 484 "-" "-" </pre>