Suricata

When testing the the normalized http.host field when userinfo is included in the :authority pseudo header, only the username field makes it into the http.host buffer.

Sids 2 and 3 fire on the attached pcap.

alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; content:"username|3a|password"; sid:1;)
alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; content:"username"; sid:2;)
alert http any any -> any any (msg:"user info in http.host"; flow:established,to_server; http.host; bsize:8; content:"username"; sid:3;)

I shouldn't be trusted to read this, but I think this section of code is extracting anything "up to" the first colon in the authority?

https://github.com/OISF/suricata/blob/c8a7204b159553d338a6294218e696a72efdb4db/rust/src/http2/detect.rs#L617-L624

thus resulting in the "username" value making it to http.host;

Expected Behavior: the userinfo should be removed all together, but left in http.host.raw.