Bug #2260: Weird status codes when dealing with incomplete http streams in 4.0 - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2260

closed

Weird status codes when dealing with incomplete http streams in 4.0

Added by Bendik Hagen almost 7 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Bendik Hagen

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

When suricata 4.0 parses http streams with missing http response headers it returns invalid http statuscodes, etc status":456723.
Seems to be a bug in LIBHTP that causes this.

htp_connp_RES_LINE: ptr 0x7f3ed70a9082 offset 0 len 35
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c 20 34 35 36 37 32  |F3_31.zip, 45672|
00000020  33 0d 0a                                          |3..|

Response protocol: ptr 0x7f3ed70a9b78 offset 0 len 26
00000000  30 30 30 30 3d 30 30 30  30 30 30 30 2f 41 53 44  |0000=0000000/ASD|
00000010  46 33 5f 33 31 2e 7a 69  70 2c                    |F3_31.zip,|

Response protocol number: -2

Response status (as text): ptr 0x7f3ed70a9bb8 offset 0 len 6
00000000  34 35 36 37 32 33                                 |456723|

Response status number: 456723

Files

Download all files

status_code.pcap (2.48 KB) status_code.pcap		Anonymous, 11/02/2017 10:26 AM
status_code_hotfix.patch (831 Bytes) status_code_hotfix.patch		Anonymous, 11/02/2017 10:31 AM

Actions

Copy link

Updated by Anonymous almost 7 years ago

Related to: https://github.com/OISF/libhtp/issues/160

Actions

Copy link

Updated by Victor Julien almost 7 years ago

Subject changed from Wierd status codes when dealing with incomplete http streams in 4.0 to Weird status codes when dealing with incomplete http streams in 4.0

Are you able to provide a test case? Pcap preferred. Thanks!

Actions

Copy link Download all files

Updated by Anonymous almost 7 years ago

File status_code.pcap status_code.pcap added
File status_code_hotfix.patch status_code_hotfix.patch added

Attached a PCAP and a patch that fixes the issue. However, I assume a cleaner solution is desired.

Actions

Copy link

Updated by Andreas Herz almost 7 years ago

Assignee set to Bendik Hagen
Target version set to TBD

You might want to consider adding this patch within our github project, see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for details on how to contribute code :)

Actions

Copy link