Bug #7843
Updated by A. IOOSS 5 days ago
During an attack-defense CTF, I captured capture the following exchange between a Python HTTPX client and an ASP.NET server (behing a NGINX reverse-proxy). <pre> GET /demo HTTP/1.1 Host: 10.1.128.1:1729 Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.28.1 Accept: text/event-stream content-type: application/json Cache-Control: no-store Authorization: Bearer REDACTED HTTP/1.1 200 OK Server: nginx/1.29.0 Date: Sat, 19 Jul 2025 13:09:05 GMT Content-Type: text/event-stream Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache,no-store Content-Encoding: identity REDACTED </pre> Suricata generates the following anomaly: <pre>{"app_proto":"http","type":"applayer","event":"ABNORMAL_CE_HEADER","layer":"proto_parser"}</pre> Maybe `Content-Encoding: identity` should be allowed in Suricata if real-world servers are using it? Some Maybe some helpful context: https://github.com/mdn/content/issues/1964