Project

General

Profile

Actions

Bug #1559

closed

Invalid HTTP status in HTTP log

Added by Ray Ruvinskiy about 9 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm not sure whether this is a bug or intentional, but I wanted to bring it up.

A server may return an invalid HTTP response, with something arbitrary where the status code would be expected to be. If this happens, the tx->response_status member will contain whatever string is in that position, but tx->response_status_number will be set to HTP_STATUS_INVALID. However, in the logging code, the response_status field is used, potentially outputting an invalid "status" into the log. I'm wondering if response_status_number should be used in the logging code, instead.

As an example, as of the time of writing, sending the following HTTP request:

GET /empty_flash?e=1 HTTP/1.1
Host: afs.moatads.com

to the server 52.21.219.9 will result in the following response:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

And in the suricata log, the status field will have the following contents:

version=\x221.0\x22?>

Actions

Also available in: Atom PDF