[Oisf-devel] http_host & http_raw_host
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Mar 19 11:22:53 UTC 2013
On Tue, Mar 19, 2013 at 4:35 PM, Victor Julien <victor at inliniac.net> wrote:
> On 03/19/2013 12:03 PM, Anoop Saldanha wrote:
>> On Tue, Mar 19, 2013 at 4:23 PM, Victor Julien <victor at inliniac.net> wrote:
>>> In the new http_host, which host is selected if we have:
>>>
>>> GET http://one/ HTTP/1.0
>>> Host: two
>>>
>>> One or two?
>>
>> One. The uri value gets priority over the header value.
>>
>>>
>>> I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
>>> ambiguous"; flow:established,to_server;
>>> app-layer-event:http.host_header_ambiguous;
>>> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
>>> sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
>>> keyword will fire on something as well.
>>>
>>> Also, what does http_raw_host match on specifically?
>>>
>>
>> Same logic as above.
>>
>
> Thanks.
>
> What is the overall difference between http_host and http_raw_host? I
> don't think we do normalization of the host, do we?
>
Case difference, iirc. http_host is lowercase. Will need to check
with libhtp, though.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list