Feature #5774
openAddressing Mixed Case in HTTP Headers Names and HTTP2
Description
Today we have a large amount of rules which use content negations of specific header names similar to the following logic.
http.header_names; content:!"Accept-"; content:!"Content-Type";
However, we have been receiving some feedback regarding FPs due to a unique case where proxies are converting an HTTP/2 request from the client into HTTP/1 out to the destination server and maintaining all lowercase headers names, while adding some which are camelcased.
Consider the following HTTP request which was collected from an environment which exhibited this behavior and the ET Open rule which triggered on this traffic.
GET /catalog/123 HTTP/1.1 Host: foo.bar sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" sec-ch-ua-mobile: ?0 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 sec-ch-ua-platform: "macOS" accept: */* sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: script referer: https://example.com/ accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 Cache-Control: max-stale=0 Connection: Keep-Alive
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)
Despite the content negations for the Accept- this rule triggers due to the all lowercase HTTP header name originally included in the HTTP/2 request between the client and the proxy.
One method of addressing this is to simply add nocase to all the negations of HTTP header names, though I'm not sure that is the best course of action.
I'm curious for thoughts/options that the engine might be able to offer to better address this problem.
Additionally, as HTTP/2 support grows and buffers are "overloaded" to allow backwards compatibility with HTTP/1 keywords, this issue will become more relevant.