And header_names keyword in rules
--- /dev/null
+# Description
+
+Test http detection with header_names when protocol field is missing in request
+
+# PCAP
+
+The pcap comes from
+https://redmine.openinfosecfoundation.org/issues/2619
+You can reproduce a similar behavior with running the http server and client with the python scripts client.py and server.py
--- /dev/null
+import socket
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect(("127.0.0.1", 8000))
+
+a = sock.send("GET /\r\nHeader1 : Value1\r\nUser-Agent : test\r\n\r\n")
+data = sock.recv(2000)
+print "returned", data
+
+sock.close()
--- /dev/null
+#!/usr/bin/env python
+
+import http.server
+import socketserver
+import logging
+
+PORT = 8000
+
+class GetHandler(http.server.SimpleHTTPRequestHandler):
+
+ def do_GET(self):
+ logging.error(self.headers)
+ self.send_response(200, 'OK')
+ self.send_header('Content-type', 'txt')
+ self.end_headers()
+ self.wfile.write(bytes(self.headers))
+
+
+Handler = GetHandler
+httpd = socketserver.TCPServer(("", PORT), Handler)
+
+httpd.serve_forever()
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 10003658
projects / thirdparty / suricata-verify.git / commitdiff
