[Snort-devel] Trailing headers on chunked requests not part of http_header buffer?

Will Metcalf william.metcalf at ...2499...
Fri Apr 9 14:41:33 EDT 2010


Shouldn't trailing headers on chunked http requests be included in the
normalized http_header buffer?  They are valid headers after all, with
the only restriction being that they can't be Transfer-Encoding,
Trailer, or Content-Length.  Going to be in 2.8.6 right? ;-)...

Regards,

Will

This fails...

alert tcp any any -> any any (msg:"chunked + trailing header";
content:"chunked"; http_header;  content:"Content-Type|3A| text";
http_header; classtype:bad-unknown; sid:165; rev:1;)

This works...

alert tcp any any -> any any (msg:"chunked + trailing header";
content:"chunked"; http_header;  content:"Content-Type|3A| text";
classtype:bad-unknown; sid:165; rev:1;)


POST http://192.168.2.4/cgi-bin/printenv HTTP/1.1

Host:192.168.2.4

Transfer-Encoding: chunked

Trailer: Content-Type



4

some

6

string

0

Content-Type: text/plain



HTTP/1.1 200 OK

Date: Fri, 09 Apr 2010 11:23:01 GMT

Server: Apache/2.2.3 (CentOS)

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain; charset=iso-8859-1



288

DOCUMENT_ROOT="/var/www/html"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_HOST="192.168.2.4"
HTTP_TRAILER="Content-Type"
HTTP_TRANSFER_ENCODING="chunked"
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
QUERY_STRING=""
REMOTE_ADDR="192.168.2.3"
REMOTE_PORT="36231"
REQUEST_METHOD="POST"
REQUEST_URI="http://192.168.2.4/cgi-bin/printenv"
SCRIPT_FILENAME="/var/www/cgi-bin/printenv"
SCRIPT_NAME="/cgi-bin/printenv"
SERVER_ADDR="192.168.2.4"
SERVER_ADMIN="root at ...196..."
SERVER_NAME="192.168.2.4"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.2.3 (CentOS) Server at 192.168.2.4
Port 80</address>\n"
SERVER_SOFTWARE="Apache/2.2.3 (CentOS)"


0




More information about the Snort-devel mailing list