Suricata

I'll try to figure out which commit(s) fixed it in master and if backporting is feasible.

I've looked into this. Fixing this in 3.2.x is going to be too hard. In 4.0dev it works a bit by luck, and can easily made to break.

What happens is that the inspection happens in 2 different steps:

content: "Content-Length: "; nocase; http_header; byte_extract: 0, 0, contentlengthvalue, relative, string, dec;

content: "|0D 0A 0D 0A|"; distance: 0; byte_test: 0, >, contentlengthvalue, 0, relative, string, hex; sid: 111;

In 3.2.x the stream buffer is always inspected before the HTTP header buffer. So the byte_test check runs (and fails) before the byte_extract runs.

In 4.0dev the buffer that has the 'fast_pattern' runs first. In this case this means the HTTP header buffer is inspected first. So then byte_extract runs before byte_test.

But it can be easily made to fail by forcing the fast_pattern to be on the stream pattern:

content: "Content-Length: "; nocase; http_header; byte_extract: 0, 0, contentlengthvalue, relative, string, dec; content: "|0D 0A 0D 0A|"; distance: 0; fast_pattern; byte_test: 0, >, contentlengthvalue, 0, relative, string, hex;

Solving this will require some thought and will likely be non-trivial. Perhaps simply rejecting such rules would be best for now.

This was fixed in 4.0rc1. 3.2.x won't be fixed as it's too intrusive.