Does http.header_names dedup header names?

jmtaylor90 · May 22, 2020, 1:17pm

I have a sample where there are two Accept header entries. I was going to use http.header_names to specify order, so in this case it would be something like content:“Accept|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|”. The rule doesn’t fire against said pcap with the double Accept defined. It will fire with content:“Accept|0d 0a|Accept-Language|0d 0a|”;

Is the apparent deduplication expected? It seems unintended based on the docs. Thanks in advance!

JT

vjulien · May 22, 2020, 6:45pm

libhtp dedups indead, and concats the values. See also:
https://redmine.openinfosecfoundation.org/issues/1275

It’s something I’d like to see fixed.

jmtaylor90 · June 1, 2020, 7:20pm

Ah, I see. Thanks Victor!

JT

Topic		Replies	Views
Segfaulting after a change to http/dns rules set Help	3	333	February 26, 2021
Restrict PCRE to Http Header Only	6	293	November 6, 2023
Matching on numerical content that is vaiable Rules	4	420	June 9, 2022
Different detection from rules when UDP header is broken Developers	4	607	January 4, 2023
Query about custom rule	12	140	December 18, 2023

Does http.header_names dedup header names?

Related Topics