Project

General

Profile

Actions

Bug #6736

closed

http.request_header and http.response_header behavior with HTTP1 traffic

Added by Jason Taylor 11 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I was working on ticket #3025 and reviewing the http.request_header and http.response_header keywords and found they did not work as I expected from reading the existing documentation with regard to HTTP1 traffic.

Using a signature with either keyword http.request_header or http.response_header and using any header and value other than the last header in the header request or response header list did not trigger an alert on HTTP1 traffic.


Files

http.request_response_header.pcap (1.36 KB) http.request_response_header.pcap Jason Taylor, 02/05/2024 10:15 PM

Related issues 2 (0 open2 closed)

Related to Suricata - Security #6441: detect: heap use after free with http.request_header keywordClosedPhilippe AntoineActions
Related to Suricata - Bug #6483: http.request_headers - odd behavior with multiple signtures ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF