Actions
Documentation #6992
openDocument normalization of header name/value separator
Affected Versions:
Effort:
Difficulty:
Label:
Description
Based on the attached pcap and associated rules, it would appear that within, at least the http.header and http.request_header buffer the header name and value separator is normalized to a |3a 20| despite the actual traffic being separated with just a |3a|. This normalization makes sense, but is not a documented behavior.
pcap contents
GET /foo HTTP/1.1 Host: example.com User-Agent:Windows-Update-Agent
associated rules
Use custom rules alert http any any -> any any (msg:"http.header - no space included"; flow:established,to_server; http.header; content:"User-Agent|3a|Windows-Update-Agent"; fast_pattern; sid:1; rev:1;) alert http any any -> any any (msg:"http.header - space included"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:2; rev:1;) alert http any any -> any any (msg:"http.requset_header - space included"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|Windows-Update-Agent"; fast_pattern; sid:3; rev:1;)
Files
Actions