Bug #993: libhtp upgrade to handle responses first - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #993

closed

libhtp upgrade to handle responses first

Added by Anoop Saldanha about 11 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

4.1beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

libhtp would be having a feature upgrade/update where it would accept responses, as opposed to the current implementation where it can't handle response before request.

When such an upgrade comes through, we will have to configure our http parser to allow receiving http responses first.

Actions

Copy link

Updated by Anoop Saldanha about 11 years ago

Also we have currently inserted BUG_ON() inside our http parser that would be hit, if we end up seeing a response first. Currently this serves more as a debug to pick up any bugs in suricata's updated protocol detection.

Once the libhtp update comes in, this should go.

Actions

Copy link

Updated by Victor Julien about 11 years ago

Whats the purpose of the BUG_ON? Sounds like this is a trivial DOS to everyone running this code?

Actions

Copy link

Updated by Anoop Saldanha about 11 years ago

We should never go through this code sequence in the first place, i.e.
response gets sent first in case of http. If we do there's a very good
chance that we would segv in detection.

The main reason why I have it in dev branch is to catch any bugs or for
missed corner cases in the new protocol detection code. Makes it easier
to debug than catch a segv later in detection, as confirmed by the bug
reports form bug_989.

Actions

Copy link