Comments (13)
What do you mean ?
HTTP 1.1 request pipelining is supposed to be supported.
Do you a pcap sample that shows otherwise ?
from libhtp.
yes, I have
1.pcap.zip
from libhtp.
Thanks for this pcap.
Running latest master on this I seem to get correct logs
My commands are
./src/suricata -r 1.pcap -l log
and
jq 'select(.event_type=="http")|.http' log/eve.json
And the log seems correct, what did you expect ?
{
"hostname": "120.52.186.72",
"url": "/view/index.shtml",
"http_user_agent": "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)",
"http_content_type": "text/html",
"http_method": "HEAD",
"protocol": "HTTP/1.1",
"status": 200,
"length": 2927
}
{
"hostname": "120.52.186.72",
"url": "/phpmyadmin/",
"http_user_agent": "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)",
"http_content_type": "text/html",
"http_method": "HEAD",
"protocol": "HTTP/1.1",
"status": 200,
"length": 0
}
from libhtp.
Thanks for your reply so much. In pipelining mode, client does "request1->request2->request3...", and server does "response1->response2->response3...",if we want suricata detects request1 when response1 arrives, detects request2 when response2 arrives and so on in "inline=false" mode, what should I do?
from libhtp.
I am not sure I understand your question.
if we want suricata detects request1 when response1 arrives, detects request2 when response2 arrives and so on in "inline=false" mode, what should I do?
By default, inline=false, and Suricata does detect requests and responses and matches them together according to the logs quoted above. So, there would be nothing special to do...
I suggest you try https://forum.suricata.io which may be the better place for such a question
from libhtp.
OK
from libhtp.
hey,i have a problem with request_line when run on a pcap.The context is like this previous packet is returned from IN_COPY_BYTE_OR_RETURN in htp_connp_REQ_FINALIZE and next packet is in state of htp_connp_REQ_FINALIZE when coming, then connp->in_current_read_offset is setted to zero as connp->in_current_read_offset<len, so some content is in duplicate. The pcap is below here.
a.pcap.zip
from libhtp.
I do not understand the problem.
Could you tell me what you would expect from Suricata logs
After running suricata -r a.pcap -l log
it seems to me that the logs look normal by running
jq 'select(.event_type=="http") | .http.url, .http.status' log/eve.json
I get
"/postinfo.html"
404
"/_vti_bin/_vti_aut/author.dll"
404
...
Looks quite similar to Wireshark analysis cf tshark -Tfields -e http.request.uri -e http.response.code -r a.pcap
from libhtp.
jq 'select(.event_type=="http") | .http.url, .http.protocol, .http.status' log/eve.json
I get
"/postinfo.html"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/author.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/author.exe"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/dvwssr.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_adm/admin.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_adm/admin.exe"
"HTTP/1.1"
404
"/_vti_bin/fpcount.exe?Page=default.asp|Image=3"
"HTTP/1.1"
404
"/_vti_bin/shtml.dll"
"HTTP/1.1"
404
"/_vti_bin/shtml.exe"
"HTTP/1.1"
404
"/_vti_pvt/_x_todo.htm"
"HTTP/1.1"
404
"/_vti_pvt/_x_todoh.htm"
"HTTP/1.1"
404
"/_vti_pvt/access.cnf"
"HTTP/1.1"
404
"/_vti_pvt/administrator.pwd"
"HTTP/1.1"
404
"/_vti_pvt/administrators.pwd"
"HTTP/1.1"
404
"/_vti_pvt/authors.pwd"
"HTTP/1.1"
404
"/_vti_pvt/bots.cnf"
"HTTP/1.1"
404
"/_vti_pvt/botinfs.cnf"
"HTTP/1.1\r\nT /_vti_pvt/botinfs.cnf HTTP/1.1"
404
from libhtp.
Thanks, reproducing the bug with jq 'select(.event_type=="http") | .http.protocol' log/eve.json
indeed
from libhtp.
And I have fixed it, can you help me make sure it is right or not? this is the code segment in htp_connp_REQ_FINALIZE,thanks
from libhtp.
I proposed another fix in #312
from libhtp.
Closed by #312
from libhtp.
Related Issues (20)
- Clean up response line vars if htp_treat_response_line_as_body HOT 1
- POST (multipart) arguments are skipped when field name is not in quotes HOT 9
- out of bounds read in authorization digest header parsing HOT 1
- Should Request direction not support Transfer-Coding or Content-Codings? HOT 1
- Is there a procedure for reporting vulnerabilities? HOT 1
- HTP_AUTH_UNRECOGNIZED for Bearer tokens HOT 7
- htp_connp_(res|req)_data_consumed do not include CONNECT HOT 5
- Bug report on libhtp( AddressSanitizer: SEGV) HOT 6
- Bug report on libhtp( AddressSanitizer: SEGV) HOT 7
- Incomplete but 2 logs for same transaction (libhtp: 0.5.x) HOT 8
- memory leak HOT 2
- Overlapping requests in logs HOT 7
- Response body data buffering and callback bug HOT 2
- may crash HOT 2
- The post request cannot be ended when use filesotre in suricata HOT 7
- double free in multipart processing
- In the case of packet loss, there can be a mismatch between the request and response of a transaction. HOT 1
- Add libhtp to vcpkg HOT 3
- can't call libhtp library to use suricata HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libhtp.