Actions
Bug #6547
closedHTTP/2 - http.response_line has leading space
Description
Consider the following following which triggers on a HTTP/2 200 response
alert http2 any any -> any any (msg:"test"; http.response_line; bsize:13; content:"|20|HTTP/2 200|0d 0a|";)
It appears to have been caused by this line
https://github.com/OISF/suricata/blob/68a2fcaad3abcd503246feca730dc2da1ff91af2/rust/src/http2/detect.rs#L548
resp_line.extend(b" HTTP/2 ");
resp_line.extend(status);
resp_line.extend(b"\r\n");
tx.resp_line.extend(resp_line)
}
I'm not 100% sure if this was intentional, if so I fail to understand the use case. I'm guessing it was a copy/paste from the request_line which did require this additional space.
Updated by Victor Julien 12 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Priority changed from Normal to High
- Label Needs backport to 7.0 added
Looks like a bug indeed.
Updated by Victor Julien 12 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine 12 months ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine 11 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 11 months ago
- Status changed from Resolved to Closed
Actions