From: Victor Julien <victor@inliniac.net>
Date: Thu, 22 Mar 2012 11:40:49 +0000 (+0100)
Subject: http: 'HTTP Host header ambiguous' after libhtp update. It now fires if hostname... 
X-Git-Tag: suricata-1.3beta1~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aded3c5578cad0ebd82fc84008f4dc06e114374b;p=thirdparty%2Fsuricata.git

http: 'HTTP Host header ambiguous' after libhtp update. It now fires if hostname is present both in URL and Host header and the 2 are not equal.
---

diff --git a/rules/http-events.rules b/rules/http-events.rules
index a23997c25c..e779b8fb50 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -23,8 +23,8 @@ alert http any any -> any any (msg:"SURICATA HTTP invalid authority port"; flow:
 alert http any any -> any any (msg:"SURICATA HTTP request header invalid"; flow:established,to_server; app-layer-event:http.request_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP response header invalid"; flow:established,to_client; app-layer-event:http.response_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP missing Host header"; flow:established,to_server; app-layer-event:http.missing_host_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221014; rev:1;)
-# If hostname is both part of URL and Host header. Not very useful as this matches on HTTP Proxy traffic.
-#alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
+# Alert if hostname is both part of URL and Host header and they are not the same.
+alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid request field folding"; flow:established,to_server; app-layer-event:http.invalid_request_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid response field folding"; flow:established,to_client; app-layer-event:http.invalid_response_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP request field too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)