Bug #6547: HTTP/2 - http.response_line has leading space - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6547

closed

HTTP/2 - http.response_line has leading space

Added by Brandon Murphy 12 months ago. Updated 11 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, git master

Effort:

Difficulty:

Label:

Description

Consider the following following which triggers on a HTTP/2 200 response

alert http2 any any -> any any (msg:"test"; http.response_line; bsize:13; content:"|20|HTTP/2 200|0d 0a|";)

It appears to have been caused by this line
https://github.com/OISF/suricata/blob/68a2fcaad3abcd503246feca730dc2da1ff91af2/rust/src/http2/detect.rs#L548

    resp_line.extend(b" HTTP/2 ");
    resp_line.extend(status);
    resp_line.extend(b"\r\n");
    tx.resp_line.extend(resp_line)
}

I'm not 100% sure if this was intentional, if so I fail to understand the use case. I'm guessing it was a copy/paste from the request_line which did require this additional space.

Subtasks 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #6547

HTTP/2 - http.response_line has leading space

Updated by Victor Julien 12 months ago

Updated by Victor Julien 12 months ago

Updated by Philippe Antoine 12 months ago

Updated by OISF Ticketbot 12 months ago

Updated by OISF Ticketbot 12 months ago

Updated by Philippe Antoine 11 months ago

Updated by Philippe Antoine 11 months ago