[Oisf-users] Suricata & http_header

Victor Julien lists at inliniac.net
Fri Oct 28 12:53:09 UTC 2011


Thanks to our QA ace Peter Manev I found an interesting peculiarity in
how we deal with http_header in Suricata: the header normalization
removes any trailing whitespace or tab characters from a header line. So
a header like:

User-Agent: doshowmeanad \r\n

becomes

User-Agent: doshowmeanad\r\n

This causes a false negative with sid 2008142 as it matches on:

content:"User-Agent|3a| doshowmeanad "; http_header;

Solution would be to either use http_raw_header or remove the trailing
whitespace from the content.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list