Bug #849
closedNot alerting on invalid http request Content-Length
Description
In the pcaps atatched
1) - http-events-abnormal-No-Content-Length.pcap
2) - http-events-abnormal-Invalid-Content-Length.pcap
3) - InvalidContentLengthApacheResponse.pcap
4) - ValidContentLengthApacheResponse.pcap
- 2) is with invalid content lenght - "Content-Length: 2040\r\n" added to the http request, packet 4.
- 1) is with the valid content length
In situation 2) wireshark does not recognize the http request - just recognizes it as valid TCP segment , which would be correct I think, since the content length is invalid.
Suricata recognizes 2) as a http request.
It is the exact same situation if the same is mirror but for the http response.
However the rules :
alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in request"; flow:established,to_server; app-layer-event:http.invalid_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221007; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in response"; flow:established,to_client; app-layer-event:http.invalid_content_length_field_in_response; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221008; rev:1;)
From http-events.rules do not generate an alert (or any of the rules in http-events.rules for that matter) in either respective case (request or response).
3) and 4) are the same case but real cases against Apache web server
Does not alert with 2.0dev (rev 5157ce1) or 1.4.3 or 2.0dev (rev cd7b4fa - latest git master )
Running Suri with:
suricata -c /etc/suricata/suricata.yaml -S /http-events.rules -r /root/Work/suricata/BUG/InvalidContentLength/http-events-abnormal-Invalid-Content-Length.pcap --runmode=single
Thanks
Files