Suricata Rules HTTP Header not working

gosudvtnews · October 30, 2023, 3:00am

Here is my rules:
alert http any any -> any any (msg:"TEST"; http.method; content:"POST"; http.uri; content:"/test"; http.header; content:"Transfer-Encoding|3a 20|chunked, chunked"; fast_pattern; sid:10000000;)
I tried with Request bellow but Suricata does not throw Alert, some one can help me. Thanks

lukashino · October 30, 2023, 8:56am

What is your (traffic) input? Are you feeding a PCAP to Suricata? Or are you listening live on the device?

Suricata needs to see full flow from the beginning (unless extra settings are specified), so if you are only investigating on a single packet then that will not work.

bmurphy · October 30, 2023, 1:40pm

This might be related to this issue - Bug #6415: Suricata not populating http.header, http.header.raw and http.request_header buffers when malformed header value exists - Suricata - Open Information Security Foundation

I think, though i’m not 100% sure, but it kinda looks like libhtp is considering anything that isn’t exactly “chunked” (case insensitive) to be invalid.

github.com

OISF/libhtp/blob/0.5.x/htp/htp_transaction.c#L408


      
          htp_header_t *te = htp_table_get_c(tx->request_headers, "transfer-encoding");
          
          // Check for the Transfer-Encoding header, which would indicate a chunked request body.
          if (te != NULL) {
              // Make sure it contains "chunked" only.
              // TODO The HTTP/1.1 RFC also allows the T-E header to contain "identity", which
              //      presumably should have the same effect as T-E header absence. However, Apache
              //      (2.2.22 on Ubuntu 12.04 LTS) instead errors out with "Unknown Transfer-Encoding: identity".
              //      And it behaves strangely, too, sending a 501 and proceeding to process the request
              //      (e.g., PHP is run), but without the body. It then closes the connection.
              if (bstr_cmp_c_nocase(te->value, "chunked") != 0) {
                  // Invalid T-E header value.
                  tx->request_transfer_coding = HTP_CODING_INVALID;
                  tx->flags |= HTP_REQUEST_INVALID_T_E;
                  tx->flags |= HTP_REQUEST_INVALID;
              } else {
                  // Chunked encoding is a HTTP/1.1 feature, so check that an earlier protocol
                  // version is not used. The flag will also be set if the protocol could not be parsed.
                  //
                  // TODO IIS 7.0, for example, would ignore the T-E header when it
                  //      it is used with a protocol below HTTP 1.1. This should be a

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L217-L221


      
          
          int bstr_cmp_c_nocase(const bstr *b, const char *c) {
              return bstr_util_cmp_mem_nocase(bstr_ptr(b), bstr_len(b), c, strlen(c));
          }

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L374-L400


      
          int bstr_util_cmp_mem_nocase(const void *_data1, size_t len1, const void *_data2, size_t len2) {
              const unsigned char *data1 = (const unsigned char *) _data1;
              const unsigned char *data2 = (const unsigned char *) _data2;
              size_t p1 = 0, p2 = 0;
          
              while ((p1 < len1) && (p2 < len2)) {
                  if (tolower(data1[p1]) != tolower(data2[p2])) {
                      // Difference.
                      return (tolower(data1[p1]) < tolower(data2[p2])) ? -1 : 1;
                  }
          
                  p1++;
                  p2++;
              }
          
              if ((p1 == len2) && (p2 == len1)) {
                  // They're identical.
                  return 0;
              } else {
                  // One string is shorter.

This file has been truncated. show original

gosudvtnews · October 31, 2023, 1:28am

I try with listening live on the device interface ens33 and sending request via burpsuite but no alrert throw, when i remove http.header the rule was trigger

Topic		Replies	Views
Suricata rules & the proxy protocol Help	4	1379	May 31, 2021
Some match bypass? Rules rules	27	1979	September 17, 2021
SURICATA HTTP unable to match response to request Rules	1	3300	November 1, 2021
HTTP rules not working - Suricata + EC2 + VPC Mirroring Help aws	3	686	September 17, 2022
Ssh and http protocol rule not work Help suricata	4	299	August 7, 2024

Suricata Rules HTTP Header not working

Related topics