Project

General

Profile

Actions

Feature #5774

open

Addressing Mixed Case in HTTP Headers Names and HTTP2

Added by Brandon Murphy almost 2 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Today we have a large amount of rules which use content negations of specific header names similar to the following logic.

http.header_names; content:!"Accept-"; content:!"Content-Type";

However, we have been receiving some feedback regarding FPs due to a unique case where proxies are converting an HTTP/2 request from the client into HTTP/1 out to the destination server and maintaining all lowercase headers names, while adding some which are camelcased.

Consider the following HTTP request which was collected from an environment which exhibited this behavior and the ET Open rule which triggered on this traffic.

GET /catalog/123 HTTP/1.1
Host: foo.bar
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" 
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
sec-ch-ua-platform: "macOS" 
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://example.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
Cache-Control: max-stale=0
Connection: Keep-Alive
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)

Despite the content negations for the Accept- this rule triggers due to the all lowercase HTTP header name originally included in the HTTP/2 request between the client and the proxy.

One method of addressing this is to simply add nocase to all the negations of HTTP header names, though I'm not sure that is the best course of action.

I'm curious for thoughts/options that the engine might be able to offer to better address this problem.

Additionally, as HTTP/2 support grows and buffers are "overloaded" to allow backwards compatibility with HTTP/1 keywords, this issue will become more relevant.


Related issues 2 (1 open1 closed)

Related to Suricata - Feature #5775: http.headers - dynamic sticky buffersNewOISF DevActions
Related to Suricata - Feature #6290: support case insensitive testing of HTTP header name existenceClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF