[Snort-sigs] Question about Content-Disposition, Content-Type, etc. and http_header buffer

lists at ...3397... lists at ...3397...
Thu Oct 25 17:45:50 EDT 2012


On 10/25/2012 04:35 PM, Joel Esler wrote:
> My point is, I think, if I'm right, is whatever program is generating the
> packets that Mike is talking about isn't doing so correctly.

I'm looking at RFC 2616 section 4.1 and 4.5 and I'm not seeing where CrLf is
authorttively used as a semaphore for separation between the HTTP body and the
HTTP headers when Content-* appears.  Specifically section 4.5 notes "The
presence of a message-body in a request is signaled [sic] by the inclusion of a
Content-Length or Transfer-Encoding header field in the request's message-headers."

4.1

 Request (section 5) and Response (section 6) messages use the generic message
format of RFC 822 [9] for transferring entities (the payload of the message).
Both types of message consist of a start-line, zero or more header fields (also
known as "headers"), an empty line (i.e., a line with nothing preceding the
CRLF) indicating the end of the header fields, and possibly a message-body.

        generic-message = start-line
                          *(message-header CRLF)
                          CRLF
                          [ message-body ]
        start-line      = Request-Line | Status-Line

In the interest of robustness, servers SHOULD ignore any empty line(s) received
where a Request-Line is expected. In other words, if the server is reading the
protocol stream at the beginning of a message and receives a CRLF first, it
should ignore the CRLF.


4.5:

The presence of a message-body in a request is signaled [sic] by the inclusion
of a Content-Length or Transfer-Encoding header field in the request's
message-headers. A message-body MUST NOT be included in a request if the
specification of the request method (section 5.1.1) does not allow sending an
entity-body in requests. A server SHOULD read and forward a message-body on any
request; if the request method does not include defined semantics for an
entity-body, then the message-body SHOULD be ignored when handling the request.

Hope this helps,
Nathan




More information about the Snort-sigs mailing list