Suricata Rules HTTP Header not working

gosudvtnews · October 30, 2023, 3:00am

Here is my rules:
alert http any any -> any any (msg:"TEST"; http.method; content:"POST"; http.uri; content:"/test"; http.header; content:"Transfer-Encoding|3a 20|chunked, chunked"; fast_pattern; sid:10000000;)
I tried with Request bellow but Suricata does not throw Alert, some one can help me. Thanks

lukashino · October 30, 2023, 8:56am

What is your (traffic) input? Are you feeding a PCAP to Suricata? Or are you listening live on the device?

Suricata needs to see full flow from the beginning (unless extra settings are specified), so if you are only investigating on a single packet then that will not work.

bmurphy · October 30, 2023, 1:40pm

This might be related to this issue - Bug #6415: Suricata not populating http.header, http.header.raw and http.request_header buffers when malformed header value exists - Suricata - Open Information Security Foundation

I think, though i’m not 100% sure, but it kinda looks like libhtp is considering anything that isn’t exactly “chunked” (case insensitive) to be invalid.

github.com

OISF/libhtp/blob/0.5.x/htp/htp_transaction.c#L408


      
          htp_header_t *te = htp_table_get_c(tx->request_headers, "transfer-encoding");
          
          // Check for the Transfer-Encoding header, which would indicate a chunked request body.
          if (te != NULL) {
              // Make sure it contains "chunked" only.
              // TODO The HTTP/1.1 RFC also allows the T-E header to contain "identity", which
              //      presumably should have the same effect as T-E header absence. However, Apache
              //      (2.2.22 on Ubuntu 12.04 LTS) instead errors out with "Unknown Transfer-Encoding: identity".
              //      And it behaves strangely, too, sending a 501 and proceeding to process the request
              //      (e.g., PHP is run), but without the body. It then closes the connection.
              if (bstr_cmp_c_nocase(te->value, "chunked") != 0) {
                  // Invalid T-E header value.
                  tx->request_transfer_coding = HTP_CODING_INVALID;
                  tx->flags |= HTP_REQUEST_INVALID_T_E;
                  tx->flags |= HTP_REQUEST_INVALID;
              } else {
                  // Chunked encoding is a HTTP/1.1 feature, so check that an earlier protocol
                  // version is not used. The flag will also be set if the protocol could not be parsed.
                  //
                  // TODO IIS 7.0, for example, would ignore the T-E header when it
                  //      it is used with a protocol below HTTP 1.1. This should be a

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L217-L221


      
          
          int bstr_cmp_c_nocase(const bstr *b, const char *c) {
              return bstr_util_cmp_mem_nocase(bstr_ptr(b), bstr_len(b), c, strlen(c));
          }

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L374-L400


      
          int bstr_util_cmp_mem_nocase(const void *_data1, size_t len1, const void *_data2, size_t len2) {
              const unsigned char *data1 = (const unsigned char *) _data1;
              const unsigned char *data2 = (const unsigned char *) _data2;
              size_t p1 = 0, p2 = 0;
          
              while ((p1 < len1) && (p2 < len2)) {
                  if (tolower(data1[p1]) != tolower(data2[p2])) {
                      // Difference.
                      return (tolower(data1[p1]) < tolower(data2[p2])) ? -1 : 1;
                  }
          
                  p1++;
                  p2++;
              }
          
              if ((p1 == len2) && (p2 == len1)) {
                  // They're identical.
                  return 0;
              } else {
                  // One string is shorter.

This file has been truncated. show original

gosudvtnews · October 31, 2023, 1:28am

I try with listening live on the device interface ens33 and sending request via burpsuite but no alrert throw, when i remove http.header the rule was trigger

Topic		Replies	Views
Suricata rules & the proxy protocol Help	4	1199	May 31, 2021
Rule using http does not matching get request Rules	2	1023	January 18, 2022
Ssh and http protocol rule not work Help suricata	3	119	April 27, 2024
Suricata don`t mutch http post request with my rule Help rules	7	642	November 5, 2021
Bypassing encrypted traffic does not seem to work Help	8	1527	December 10, 2021

Suricata Rules HTTP Header not working

Related Topics