Documentation #6992: Document normalization of header name/value separator - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #6992

open

Document normalization of header name/value separator

Added by Brandon Murphy 6 months ago. Updated 6 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Based on the attached pcap and associated rules, it would appear that within, at least the http.header and http.request_header buffer the header name and value separator is normalized to a |3a 20| despite the actual traffic being separated with just a |3a|. This normalization makes sense, but is not a documented behavior.

pcap contents

GET /foo HTTP/1.1
Host: example.com
User-Agent:Windows-Update-Agent

associated rules

Use custom rules
alert http any any -> any any (msg:"http.header - no space included"; flow:established,to_server; http.header; content:"User-Agent|3a|Windows-Update-Agent"; fast_pattern; sid:1; rev:1;)
alert http any any -> any any (msg:"http.header - space included"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:2; rev:1;)
alert http any any -> any any (msg:"http.requset_header - space included"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:3; rev:1;)

Files

header_missing_space.pcap (447 Bytes) header_missing_space.pcap

Brandon Murphy, 04/27/2024 02:29 PM