Actions
Bug #2402
closedhttp_header_names doesn't operate as documented
Affected Versions:
Effort:
Difficulty:
Label:
Description
Not sure if the bug is in implementation, or in the documentation. In the second example of the documentation0 we learn that to validate that a Header is at the beginning of the http_header_names buffer we can use "|0D 0A 0D 0A|HeaderName". It appears, however that the |0D 0A 0D 0A| is only applicable at the end of the buffer.
I've tested on Suricata 4.0.3 RELEASE, output can be found below1 and files used in testing are attached for your easy reproduction.
duaneh@zombie-lab6:~$ /usr/bin/suricata -c suricata-pcap.yaml --runmode=single -S http_header_names.rules -r suricata_test.pcap Initialization syslog logging with format "[%i] <%d> -- ". 4/1/2018 -- 21:15:33 - <Notice> - This is Suricata version 4.0.3 RELEASE 4/1/2018 -- 21:15:33 - <Info> - CPUs/cores online: 16 4/1/2018 -- 21:15:33 - <Info> - HTTP memcap: 6442450944 4/1/2018 -- 21:15:36 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed 4/1/2018 -- 21:15:36 - <Info> - Threshold config parsed: 1 rule(s) found 4/1/2018 -- 21:15:36 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only 4/1/2018 -- 21:15:36 - <Info> - fast output device (regular) initialized: /tmp/fast.log 4/1/2018 -- 21:15:36 - <Info> - Unified2-alert initialized: filename suricata.u2, limit 128 MB 4/1/2018 -- 21:15:36 - <Info> - stats output device (regular) initialized: stats.log 4/1/2018 -- 21:15:36 - <Info> - Syslog output initialized 4/1/2018 -- 21:15:36 - <Info> - reading pcap file suricata_test.pcap 4/1/2018 -- 21:15:36 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started. 4/1/2018 -- 21:15:36 - <Info> - pcap file end of file reached (pcap err code 0) 4/1/2018 -- 21:15:36 - <Notice> - Signal Received. Stopping engine. 4/1/2018 -- 21:15:37 - <Info> - time elapsed 1.421s 4/1/2018 -- 21:15:38 - <Notice> - Pcap-file module read 10 packets, 1100 bytes 4/1/2018 -- 21:15:38 - <Info> - Alerts: 1 4/1/2018 -- 21:15:38 - <Info> - cleaning up signature grouping structure... complete duaneh@zombie-lab6:~$ cat /tmp/fast.log 01/04/2018-21:07:49.173020 [**] [1:8000002:1] Header Test 2 - Like Depth [**] [Classification: (null)] [Priority: 3] {TCP} 100.97.28.117:45280 -> 35.192.125.79:443
Files
Updated by Victor Julien almost 7 years ago
This is a documentation error. The format is
\r\nName1\r\nName2\r\n\r\n
You can use depth (soon also starts_with) to anchor to the start of the buffer.
Updated by Andreas Herz almost 7 years ago
- Assignee set to OISF Dev
- Target version set to Documentation
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from Documentation to 4.1beta1
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
Actions