Suricata

Jason Taylor wrote:

I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.

Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.

Signature examples for the attached pcap that do not fire:

alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)

alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)

Signature examples for the attached pcap that fire alerts:

alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)

alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Date|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)

As a side note, I was looking for suricata-verify tests for HTTP1 traffic for the http.request_header and http.response_header keywords and didn't see any. I can submit a PR for some tests if that would be wanted.

@Jason Taylor a SV test would be most welcome!

Victor Julien wrote in #note-5:

This has been fixed in 7.0.3 as part of work around #6441.

is 6441 a private issue? I get a 403 when accessing it.

Yes #6441 is a private issue

See https://github.com/OISF/suricata-verify/pull/1637 with the pcap and rules from this ticket