[Oisf-devel] http_host & http_raw_host

Anoop Saldanha anoopsaldanha at gmail.com
Tue Mar 19 12:05:25 UTC 2013 

On Tue, Mar 19, 2013 at 5:26 PM, Victor Julien <victor at inliniac.net> wrote:
> On 03/19/2013 12:22 PM, Anoop Saldanha wrote:
>> On Tue, Mar 19, 2013 at 4:35 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 03/19/2013 12:03 PM, Anoop Saldanha wrote:
>>>> On Tue, Mar 19, 2013 at 4:23 PM, Victor Julien <victor at inliniac.net> wrote:
>>>>> In the new http_host, which host is selected if we have:
>>>>>
>>>>> GET http://one/ HTTP/1.0
>>>>> Host: two
>>>>>
>>>>> One or two?
>>>>
>>>> One.  The uri value gets priority over the header value.
>>>>
>>>>>
>>>>> I know "alert http any any -> any any (msg:"SURICATA HTTP Host header
>>>>> ambiguous"; flow:established,to_server;
>>>>> app-layer-event:http.host_header_ambiguous;
>>>>> flowint:http.anomaly.count,+,1; classtype:protocol-command-decode;
>>>>> sid:2221015; rev:1;)" will fire in this case, but I assume the http_host
>>>>> keyword will fire on something as well.
>>>>>
>>>>> Also, what does http_raw_host match on specifically?
>>>>>
>>>>
>>>> Same logic as above.
>>>>
>>>
>>> Thanks.
>>>
>>> What is the overall difference between http_host and http_raw_host? I
>>> don't think we do normalization of the host, do we?
>>>
>>
>> Case difference, iirc.  http_host is lowercase.  Will need to check
>> with libhtp, though.
>>
>
> Cool, please let me know.
>
> Was wondering about something related. http_host is normalized to
> lowercase. Yet it seems the rules are forced to set nocase, which is odd
> I think.

I forced the nocase so that users don't have the misconception that
they can use a uppercase pattern without a nocase, and it still
matches against a lowercase uri.

> Adding nocase makes sure we take a slower code path while we
> have no case to consider at all.  We should only consider it at the rule
> parsing stage.
>

We don't take a slower code path.  If anything it is faster or am I
missing something?  It's considered at rule parsing stage.

> So I think we need a different sort of warning:
>
> e.g.: content:"Google.com"; http_host;
>
> should warn "uppercase pattern against lowercase buffer, use lowercase
> pattern or "nocase" if you're stupid" :)
>
> Make sense?
>

Makes sense, although I feel we should error out on such sigs, rather
than warn.  In the first place, such a sig is technically wrong, and
when we are reading such sigs quickly, we tend to not notice the
difference immediately.

-- 
Anoop Saldanha

More information about the Oisf-devel mailing list