Project

General

Profile

Actions

Documentation #6992

open

Document normalization of header name/value separator

Added by Brandon Murphy 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Based on the attached pcap and associated rules, it would appear that within, at least the http.header and http.request_header buffer the header name and value separator is normalized to a |3a 20| despite the actual traffic being separated with just a |3a|. This normalization makes sense, but is not a documented behavior.

pcap contents

GET /foo HTTP/1.1
Host: example.com
User-Agent:Windows-Update-Agent

associated rules

Use custom rules
alert http any any -> any any (msg:"http.header - no space included"; flow:established,to_server; http.header; content:"User-Agent|3a|Windows-Update-Agent"; fast_pattern; sid:1; rev:1;)
alert http any any -> any any (msg:"http.header - space included"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:2; rev:1;)
alert http any any -> any any (msg:"http.requset_header - space included"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:3; rev:1;)


Files

header_missing_space.pcap (447 Bytes) header_missing_space.pcap Brandon Murphy, 04/27/2024 02:29 PM
Actions

Also available in: Atom PDF