[Oisf-devel] http_host & http_raw_host
Victor Julien
victor at inliniac.net
Tue Mar 19 11:56:57 UTC 2013
On 03/19/2013 12:22 PM, Anoop Saldanha wrote:
> On Tue, Mar 19, 2013 at 4:35 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 03/19/2013 12:03 PM, Anoop Saldanha wrote:
>>> On Tue, Mar 19, 2013 at 4:23 PM, Victor Julien <victor at inliniac.net> wrote:
>>>> In the new http_host, which host is selected if we have:
>>>>
>>>> GET http://one/ HTTP/1.0
>>>> Host: two
>>>>
>>>> One or two?
>>>
>>> One. The uri value gets priority over the header value.
>>>
>>>>
>>>> I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
>>>> ambiguous"; flow:established,to_server;
>>>> app-layer-event:http.host_header_ambiguous;
>>>> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
>>>> sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
>>>> keyword will fire on something as well.
>>>>
>>>> Also, what does http_raw_host match on specifically?
>>>>
>>>
>>> Same logic as above.
>>>
>>
>> Thanks.
>>
>> What is the overall difference between http_host and http_raw_host? I
>> don't think we do normalization of the host, do we?
>>
>
> Case difference, iirc. http_host is lowercase. Will need to check
> with libhtp, though.
>
Cool, please let me know.
Was wondering about something related. http_host is normalized to
lowercase. Yet it seems the rules are forced to set nocase, which is odd
I think. Adding nocase makes sure we take a slower code path while we
have no case to consider at all. We should only consider it at the rule
parsing stage.
So I think we need a different sort of warning:
e.g.: content:"Google.com"; http_host;
should warn "uppercase pattern against lowercase buffer, use lowercase
pattern or "nocase" if you're stupid" :)
Make sense?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list