]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ef52ba8)
http: 'HTTP Host header ambiguous' after libhtp update. It now fires if hostname...
authorVictor Julien <victor@inliniac.net>
Thu, 22 Mar 2012 11:40:49 +0000 (12:40 +0100)
committerVictor Julien <victor@inliniac.net>
Thu, 22 Mar 2012 11:40:49 +0000 (12:40 +0100)
rules/http-events.rules patch | blob | blame | history

diff --git a/rules/http-events.rules b/rules/http-events.rules
index a23997c25c8a1948f9e91f7edf7e6aa1a78b501b..e779b8fb50b8e9d9ceef21c649046074107eb501 100644 (file)
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -23,8 +23,8 @@ alert http any any -> any any (msg:"SURICATA HTTP invalid authority port"; flow:
 alert http any any -> any any (msg:"SURICATA HTTP request header invalid"; flow:established,to_server; app-layer-event:http.request_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP response header invalid"; flow:established,to_client; app-layer-event:http.response_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP missing Host header"; flow:established,to_server; app-layer-event:http.missing_host_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221014; rev:1;)
-# If hostname is both part of URL and Host header. Not very useful as this matches on HTTP Proxy traffic.
-#alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
+# Alert if hostname is both part of URL and Host header and they are not the same.
+alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid request field folding"; flow:established,to_server; app-layer-event:http.invalid_request_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid response field folding"; flow:established,to_client; app-layer-event:http.invalid_response_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP request field too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
Mirror of https://github.com/OISF/suricata.git