Project

General

Profile

Actions

Support #2890

closed

HTTP alert isn't triggered when writing ".." as part of the scanned URI

Added by Osqui LittleRiver almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hello.

I have a custom alert like this: alert http any any -> any 80 (msg:"blabla"; content:".."; http_uri; sid:1000000;)

When I run curl http://xxxx/.. (or curl http://xxxx/../.. or doing the same requests via browser) this alert isn't triggered (and Apache/nginx webserver returns index page)

I've done several tests. For instance, if I run curl https://xxxx/... (with three dots), then alert is triggered (and webserver gives a 404 error)
On the other hand, if I change the alert to this one: alert http any any -> any 80 (msg:"blabla"; content:"|2e 2e|"; http_raw_uri; buffer; sid:100000;) is triggered too, so it seems it's a http normalizer's fault
There's more information on these tests in https://pastebin.com/Yd7mhRsA

Thanks a lot to @Travis Green and @patstoms in #suricata IRC for give me a lot of help and point me to these clues

Actions #1

Updated by David Wharton almost 6 years ago

This isn't a bug, it is expected and desired behavior.

The 'http_uri' buffer is a normalized buffer which means that "/../" in the URI (directory traversal) will be normalized to just "/" in the 'http_uri' buffer and remove the preceding directory (if present). For example, if the URI on the wire looked like this:

/foo/bar/../baz/index.html

Then the 'http_uri' normalized buffer would look like this:

/foo/baz/index.html

To match on "/../" in the URI, use the 'http_raw_uri' buffer which isn't normalized and contains what you see on the wire, as you have discovered.

Note that other HTTP URI normalizations like percent decoding are done to the http_uri buffer and apply as well. For example, if the URI on the wire looked like this:

/foo/bar/%2e%2e/baz/index.html

Then the 'http_uri' normalized buffer would look like this:

/foo/baz/index.html

(/foo/bar/%2e%2e/baz/index.html gets normalized to /foo/bar/../baz/index.html and then finally /foo/baz/index.html)

Actions #2

Updated by Osqui LittleRiver almost 6 years ago

Oooh ,thanks for your splendid explanation! Understood!
Feel free to close this issue, please (I don't get how to do it, sorry)

Actions #3

Updated by Victor Julien almost 6 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Closed

Thanks David!

Actions

Also available in: Atom PDF