Support #2890
closedHTTP alert isn't triggered when writing ".." as part of the scanned URI
Description
Hello.
I have a custom alert like this: alert http any any -> any 80 (msg:"blabla"; content:".."; http_uri; sid:1000000;)
When I run curl http://xxxx/.. (or curl http://xxxx/../.. or doing the same requests via browser) this alert isn't triggered (and Apache/nginx webserver returns index page)
I've done several tests. For instance, if I run curl https://xxxx/... (with three dots), then alert is triggered (and webserver gives a 404 error)
On the other hand, if I change the alert to this one: alert http any any -> any 80 (msg:"blabla"; content:"|2e 2e|"; http_raw_uri; buffer; sid:100000;) is triggered too, so it seems it's a http normalizer's fault
There's more information on these tests in https://pastebin.com/Yd7mhRsA
Thanks a lot to @Travis Green and @patstoms in #suricata IRC for give me a lot of help and point me to these clues
Updated by David Wharton almost 6 years ago
This isn't a bug, it is expected and desired behavior.
The 'http_uri' buffer is a normalized buffer which means that "/../" in the URI (directory traversal) will be normalized to just "/" in the 'http_uri' buffer and remove the preceding directory (if present). For example, if the URI on the wire looked like this:
/foo/bar/../baz/index.html
Then the 'http_uri' normalized buffer would look like this:
/foo/baz/index.html
To match on "/../" in the URI, use the 'http_raw_uri' buffer which isn't normalized and contains what you see on the wire, as you have discovered.
Note that other HTTP URI normalizations like percent decoding are done to the http_uri buffer and apply as well. For example, if the URI on the wire looked like this:
/foo/bar/%2e%2e/baz/index.html
Then the 'http_uri' normalized buffer would look like this:
/foo/baz/index.html
(/foo/bar/%2e%2e/baz/index.html gets normalized to /foo/bar/../baz/index.html and then finally /foo/baz/index.html)
Updated by Osqui LittleRiver almost 6 years ago
Oooh ,thanks for your splendid explanation! Understood!
Feel free to close this issue, please (I don't get how to do it, sorry)
Updated by Victor Julien almost 6 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed
Thanks David!