Using http.uri rules with spaces in the URI?

jaredchandler · March 26, 2023, 11:05pm

I’m curious about the correct way to match http requests which have a space in the URI.

For example:

alert http any any -> any any ( http.uri; content:"index.html?var=Flash Player";   )

Is that legal?

I would expect that to match on a HTTP Request such as

GET index.html?var=Flash Player HTTP/1.0
User-Agent: curl
Host: localhost

foo

But it doesn’t seem to.

However…

alert http any any -> any any ( http.uri; content:"index.html?var=Flash+Player";   )

matches on the following

GET index.html?var=Flash+Player HTTP/1.0
User-Agent: curl
Host: localhost

foo

How should I match a the space in the first example then?

Does Suricata stop filling the http.uri buffer when it first encounters a space?

For example on

GET index.html?var=Flash Player HTTP/1.0

the rule

alert http any any -> any any ( http.uri; content:"index.html?var=Flash";   )

Will alert, but…

alert http any any -> any any ( http.uri; content:"Player";   )

…Does not.

(PCAPs attached)

vjulien · March 27, 2023, 7:30am

This is a known issue, please see

jaredchandler · March 27, 2023, 7:02pm

Wow! Thank you. I did conclude that it was putting everything after the first space in the uri into the http.method buffer.

Topic		Replies	Views
Rule using http does not matching get request Rules	2	1014	January 18, 2022
Get URL from HTTP packet Help rules , suricata	2	775	January 11, 2023
Rules with sticky buffers and content modifiers Rules	4	3452	June 4, 2020
Suricata can't search pattern in HTTP with content-type application/x-www-form-urlencoded Rules rules , suricata	1	153	December 1, 2023
I want to block specific word for any website, please tell me anyone how is it possible, i'm new in information security Help ips , community , rules , suricata	1	184	October 23, 2023