Open Information Security Foundation

06/13/2025

09:38 PM Suricata Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter

Does this mean there is no plan to change this behaviour and that it is intended? James Emery-Callcott

01:35 AM Suricata Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter

I've just tested http.accept; for this same logic and it seems that buffer is affected too. I suspect all http stick... James Emery-Callcott

01:06 AM Suricata Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter

My concerns here is that this could now lead to bypassing many existing signatures with ease.
If a signature inclu... James Emery-Callcott

12:58 AM Suricata Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter

Came back to this with fresh eyes and I think I've identified the cause however, it's potentially still a bug.
It ... James Emery-Callcott

12:44 AM Suricata Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter

Re-posting the same signature in a code block so certain characters aren't interpreted as formatting efforts.
<pre... James Emery-Callcott

12:42 AM Suricata Bug #7754 (New): http.host and http.host.raw contain the same Host header value twice, with a delimiter

I ran into some strange behaviour when drafting a rule to detect RFC non-compliant characters within the HTTP host he... James Emery-Callcott

12/10/2024

06:00 PM Suricata Feature #7446: add logic to parse QUIC CRYPTO frames and provide a keyword to access the reassembled data

can probably close this out :) Chris W discovered quic.sni exists, it just wasn't documented James Emery-Callcott

12/08/2024

11:27 PM Suricata Feature #7446: add logic to parse QUIC CRYPTO frames and provide a keyword to access the reassembled data

semi-relevant https://redmine.openinfosecfoundation.org/issues/4985 James Emery-Callcott

11:23 PM Suricata Feature #7446 (New): add logic to parse QUIC CRYPTO frames and provide a keyword to access the reassembled data

Apologies if this is a duplicate report, I couldn't find anything else when searching.
Currently, we have no metho... James Emery-Callcott

10/11/2024

01:05 AM Suricata Feature #7322 (Rejected): ability to negate the existence of fields via buffer negation

While writing hunting signatures today, we noticed that it is not possible to negate the existence of a buffer which ... James Emery-Callcott