Bug #1559
closedInvalid HTTP status in HTTP log
Description
I'm not sure whether this is a bug or intentional, but I wanted to bring it up.
A server may return an invalid HTTP response, with something arbitrary where the status code would be expected to be. If this happens, the tx->response_status member will contain whatever string is in that position, but tx->response_status_number will be set to HTP_STATUS_INVALID. However, in the logging code, the response_status field is used, potentially outputting an invalid "status" into the log. I'm wondering if response_status_number should be used in the logging code, instead.
As an example, as of the time of writing, sending the following HTTP request:
GET /empty_flash?e=1 HTTP/1.1 Host: afs.moatads.com
to the server 52.21.219.9 will result in the following response:
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" to-ports="*" /> </cross-domain-policy>
And in the suricata log, the status field will have the following contents:
version=\x221.0\x22?>