Project

General

Profile

Actions

Bug #2260

closed

Weird status codes when dealing with incomplete http streams in 4.0

Added by Bendik Hagen almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When suricata 4.0 parses http streams with missing http response headers it returns invalid http statuscodes, etc status":456723.
Seems to be a bug in LIBHTP that causes this.

htp_connp_RES_LINE: ptr 0x7f3ed70a9082 offset 0 len 35
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c 20 34 35 36 37 32  |F3_31.zip, 45672|
00000020  33 0d 0a                                          |3..|

Response protocol: ptr 0x7f3ed70a9b78 offset 0 len 26
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c                    |F3_31.zip,|

Response protocol number: -2

Response status (as text): ptr 0x7f3ed70a9bb8 offset 0 len 6
00000000  34 35 36 37 32 33                                 |456723|

Response status number: 456723


Files

status_code.pcap (2.48 KB) status_code.pcap Anonymous, 11/02/2017 10:26 AM
status_code_hotfix.patch (831 Bytes) status_code_hotfix.patch Anonymous, 11/02/2017 10:31 AM
Actions #1

Updated by Anonymous almost 7 years ago

Actions #2

Updated by Victor Julien almost 7 years ago

  • Subject changed from Wierd status codes when dealing with incomplete http streams in 4.0 to Weird status codes when dealing with incomplete http streams in 4.0

Are you able to provide a test case? Pcap preferred. Thanks!

Updated by Anonymous almost 7 years ago

Attached a PCAP and a patch that fixes the issue. However, I assume a cleaner solution is desired.

Actions #4

Updated by Andreas Herz almost 7 years ago

  • Assignee set to Bendik Hagen
  • Target version set to TBD

You might want to consider adding this patch within our github project, see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for details on how to contribute code :)

Actions #6

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Closed
  • Target version deleted (TBD)

Fixed in libhtp 0.5.26. As this is a libhtp issue I'm not setting a Suricata target.

Actions

Also available in: Atom PDF