http pipelining is not ok about libhtp HOT 13 CLOSED

What do you mean ?
HTTP 1.1 request pipelining is supposed to be supported.

Do you a pcap sample that shows otherwise ?

from libhtp.

yes, I have
1.pcap.zip

from libhtp.

Thanks for this pcap.

Running latest master on this I seem to get correct logs

My commands are
./src/suricata -r 1.pcap -l log and
jq 'select(.event_type=="http")|.http' log/eve.json

And the log seems correct, what did you expect ?

{
  "hostname": "120.52.186.72",
  "url": "/view/index.shtml",
  "http_user_agent": "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)",
  "http_content_type": "text/html",
  "http_method": "HEAD",
  "protocol": "HTTP/1.1",
  "status": 200,
  "length": 2927
}
{
  "hostname": "120.52.186.72",
  "url": "/phpmyadmin/",
  "http_user_agent": "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)",
  "http_content_type": "text/html",
  "http_method": "HEAD",
  "protocol": "HTTP/1.1",
  "status": 200,
  "length": 0
}

from libhtp.

Thanks for your reply so much. In pipelining mode, client does "request1->request2->request3...", and server does "response1->response2->response3...",if we want suricata detects request1 when response1 arrives, detects request2 when response2 arrives and so on in "inline=false" mode, what should I do?

from libhtp.

I am not sure I understand your question.

if we want suricata detects request1 when response1 arrives, detects request2 when response2 arrives and so on in "inline=false" mode, what should I do?

By default, inline=false, and Suricata does detect requests and responses and matches them together according to the logs quoted above. So, there would be nothing special to do...

I suggest you try https://forum.suricata.io which may be the better place for such a question

from libhtp.

OK

from libhtp.

hey,i have a problem with request_line when run on a pcap.The context is like this previous packet is returned from IN_COPY_BYTE_OR_RETURN in htp_connp_REQ_FINALIZE and next packet is in state of htp_connp_REQ_FINALIZE when coming, then connp->in_current_read_offset is setted to zero as connp->in_current_read_offset<len, so some content is in duplicate. The pcap is below here.
a.pcap.zip

from libhtp.

I do not understand the problem.
Could you tell me what you would expect from Suricata logs

After running suricata -r a.pcap -l log
it seems to me that the logs look normal by running
jq 'select(.event_type=="http") | .http.url, .http.status' log/eve.json
I get

"/postinfo.html"
404
"/_vti_bin/_vti_aut/author.dll"
404
...

Looks quite similar to Wireshark analysis cf tshark -Tfields -e http.request.uri -e http.response.code -r a.pcap

from libhtp.

jq 'select(.event_type=="http") | .http.url, .http.protocol, .http.status' log/eve.json
I get

"/postinfo.html"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/author.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/author.exe"
"HTTP/1.1"
404
"/_vti_bin/_vti_aut/dvwssr.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_adm/admin.dll"
"HTTP/1.1"
404
"/_vti_bin/_vti_adm/admin.exe"
"HTTP/1.1"
404
"/_vti_bin/fpcount.exe?Page=default.asp|Image=3"
"HTTP/1.1"
404
"/_vti_bin/shtml.dll"
"HTTP/1.1"
404
"/_vti_bin/shtml.exe"
"HTTP/1.1"
404
"/_vti_pvt/_x_todo.htm"
"HTTP/1.1"
404
"/_vti_pvt/_x_todoh.htm"
"HTTP/1.1"
404
"/_vti_pvt/access.cnf"
"HTTP/1.1"
404
"/_vti_pvt/administrator.pwd"
"HTTP/1.1"
404
"/_vti_pvt/administrators.pwd"
"HTTP/1.1"
404
"/_vti_pvt/authors.pwd"
"HTTP/1.1"
404
"/_vti_pvt/bots.cnf"
"HTTP/1.1"
404
"/_vti_pvt/botinfs.cnf"
"HTTP/1.1\r\nT /_vti_pvt/botinfs.cnf HTTP/1.1"
404

from libhtp.

Thanks, reproducing the bug with jq 'select(.event_type=="http") | .http.protocol' log/eve.json indeed

from libhtp.

And I have fixed it, can you help me make sure it is right or not? this is the code segment in htp_connp_REQ_FINALIZE,thanks

from libhtp.

I proposed another fix in #312

from libhtp.

Closed by #312

from libhtp.