Suricata Rules HTTP Header not working

bmurphy · October 30, 2023, 1:40pm

This might be related to this issue - Bug #6415: Suricata not populating http.header, http.header.raw and http.request_header buffers when malformed header value exists - Suricata - Open Information Security Foundation

I think, though i’m not 100% sure, but it kinda looks like libhtp is considering anything that isn’t exactly “chunked” (case insensitive) to be invalid.

github.com

OISF/libhtp/blob/0.5.x/htp/htp_transaction.c#L408


      
          htp_header_t *te = htp_table_get_c(tx->request_headers, "transfer-encoding");
          
          // Check for the Transfer-Encoding header, which would indicate a chunked request body.
          if (te != NULL) {
              // Make sure it contains "chunked" only.
              // TODO The HTTP/1.1 RFC also allows the T-E header to contain "identity", which
              //      presumably should have the same effect as T-E header absence. However, Apache
              //      (2.2.22 on Ubuntu 12.04 LTS) instead errors out with "Unknown Transfer-Encoding: identity".
              //      And it behaves strangely, too, sending a 501 and proceeding to process the request
              //      (e.g., PHP is run), but without the body. It then closes the connection.
              if (bstr_cmp_c_nocase(te->value, "chunked") != 0) {
                  // Invalid T-E header value.
                  tx->request_transfer_coding = HTP_CODING_INVALID;
                  tx->flags |= HTP_REQUEST_INVALID_T_E;
                  tx->flags |= HTP_REQUEST_INVALID;
              } else {
                  // Chunked encoding is a HTTP/1.1 feature, so check that an earlier protocol
                  // version is not used. The flag will also be set if the protocol could not be parsed.
                  //
                  // TODO IIS 7.0, for example, would ignore the T-E header when it
                  //      it is used with a protocol below HTTP 1.1. This should be a

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L217-L221


      
          
          int bstr_cmp_c_nocase(const bstr *b, const char *c) {
              return bstr_util_cmp_mem_nocase(bstr_ptr(b), bstr_len(b), c, strlen(c));
          }

github.com

OISF/libhtp/blob/0.5.x/htp/bstr.c#L374-L400


      
          int bstr_util_cmp_mem_nocase(const void *_data1, size_t len1, const void *_data2, size_t len2) {
              const unsigned char *data1 = (const unsigned char *) _data1;
              const unsigned char *data2 = (const unsigned char *) _data2;
              size_t p1 = 0, p2 = 0;
          
              while ((p1 < len1) && (p2 < len2)) {
                  if (tolower(data1[p1]) != tolower(data2[p2])) {
                      // Difference.
                      return (tolower(data1[p1]) < tolower(data2[p2])) ? -1 : 1;
                  }
          
                  p1++;
                  p2++;
              }
          
              if ((p1 == len2) && (p2 == len1)) {
                  // They're identical.
                  return 0;
              } else {
                  // One string is shorter.

This file has been truncated. show original

Topic		Replies	Views
Suricata rules & the proxy protocol Help	4	1398	May 31, 2021
Some match bypass? Rules rules	27	1995	September 17, 2021
SURICATA HTTP unable to match response to request Rules	1	3331	November 1, 2021
HTTP rules not working - Suricata + EC2 + VPC Mirroring Help aws	3	687	September 17, 2022
Ssh and http protocol rule not work Help suricata	4	308	August 7, 2024

Suricata Rules HTTP Header not working

Related topics