[Oisf-devel] http_host & http_raw_host
Victor Julien
victor at inliniac.net
Tue Mar 19 11:05:13 UTC 2013
On 03/19/2013 12:03 PM, Anoop Saldanha wrote:
> On Tue, Mar 19, 2013 at 4:23 PM, Victor Julien <victor at inliniac.net> wrote:
>> In the new http_host, which host is selected if we have:
>>
>> GET http://one/ HTTP/1.0
>> Host: two
>>
>> One or two?
>
> One. The uri value gets priority over the header value.
>
>>
>> I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
>> ambiguous"; flow:established,to_server;
>> app-layer-event:http.host_header_ambiguous;
>> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
>> sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
>> keyword will fire on something as well.
>>
>> Also, what does http_raw_host match on specifically?
>>
>
> Same logic as above.
>
Thanks.
What is the overall difference between http_host and http_raw_host? I
don't think we do normalization of the host, do we?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list