Snort mailing list archives
Trailing headers on chunked requests not part of http_header buffer?
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 9 Apr 2010 13:41:33 -0500
Shouldn't trailing headers on chunked http requests be included in the normalized http_header buffer? They are valid headers after all, with the only restriction being that they can't be Transfer-Encoding, Trailer, or Content-Length. Going to be in 2.8.6 right? ;-)... Regards, Will This fails... alert tcp any any -> any any (msg:"chunked + trailing header"; content:"chunked"; http_header; content:"Content-Type|3A| text"; http_header; classtype:bad-unknown; sid:165; rev:1;) This works... alert tcp any any -> any any (msg:"chunked + trailing header"; content:"chunked"; http_header; content:"Content-Type|3A| text"; classtype:bad-unknown; sid:165; rev:1;) POST http://192.168.2.4/cgi-bin/printenv HTTP/1.1 Host:192.168.2.4 Transfer-Encoding: chunked Trailer: Content-Type 4 some 6 string 0 Content-Type: text/plain HTTP/1.1 200 OK Date: Fri, 09 Apr 2010 11:23:01 GMT Server: Apache/2.2.3 (CentOS) Connection: close Transfer-Encoding: chunked Content-Type: text/plain; charset=iso-8859-1 288 DOCUMENT_ROOT="/var/www/html" GATEWAY_INTERFACE="CGI/1.1" HTTP_HOST="192.168.2.4" HTTP_TRAILER="Content-Type" HTTP_TRANSFER_ENCODING="chunked" PATH="/sbin:/usr/sbin:/bin:/usr/bin" QUERY_STRING="" REMOTE_ADDR="192.168.2.3" REMOTE_PORT="36231" REQUEST_METHOD="POST" REQUEST_URI="http://192.168.2.4/cgi-bin/printenv"; SCRIPT_FILENAME="/var/www/cgi-bin/printenv" SCRIPT_NAME="/cgi-bin/printenv" SERVER_ADDR="192.168.2.4" SERVER_ADMIN="root@localhost" SERVER_NAME="192.168.2.4" SERVER_PORT="80" SERVER_PROTOCOL="HTTP/1.1" SERVER_SIGNATURE="<address>Apache/2.2.3 (CentOS) Server at 192.168.2.4 Port 80</address>\n" SERVER_SOFTWARE="Apache/2.2.3 (CentOS)" 0 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Trailing headers on chunked requests not part of http_header buffer? Will Metcalf (Apr 09)