libhtp icon indicating copy to clipboard operation
libhtp copied to clipboard

Published 20 hours ago verified publisher icon OISF

Overlapping requests in logs

Open Sachin-M-Desai opened this issue 2 years ago • 5 comments

With Suricata 7.0.x and libhtp 0.5.39, we have observed (on the production deployment) that some of headers seems to have been merged to headers from another request.

We have the below logs from Suricata where,

  1. Headers like "Accept", "X-Forwarded-For", "User-Agent" have multiple values which are coming from a different request
  2. One of the headers (Sec-Fetch-Site) is actually have request line from another request

{"timestamp":"2022-03-14T02:54:17.885077+0000","flow_id":455363947756886,"in_iface":"lo","event_type":"http","src_ip":"127.0.0.1","src_port":42602,"dest_ip":"127.0.0.1","dest_port":8090,"proto":"6","tx_id":0,"http":{"hostname":"[REDACTED]","url":"/getWallet","http_user_agent":"curl/7.68.0","http_content_type":"application/json","http_method":"POST","protocol":"HTTP/1.1","status":200,"length":15,"request_headers":[{"name":"Host","value":"[REDACTED], [REDACTED]"},{"name":"User-Agent","value":"curl/7.68.0,curl/7.68.0"},{"name":"Sec-Fetch-Site", "value":"same-oriPOST /getBalance"},{"name":"Accept","value":"application/json, application/json"},{"name":"content-type","value":"application/json"},{"name":"Content-Length","value":"15"},{"name":"X-Forwarded-For", "value":"42.104.80.173, 52.46.37.72"}],"response_headers":[{"name":"Content-Type","value":"application/json; charset=utf-8"},{"name":"Date","value":"Mon, 14 Mar 2022 02:54:17 GMT"},{"name":"Content-Length","value":"15"}]}}

We are running Suricata on VXLAN based setup.

Grepped all over the issues list, couldnt see any issue close to this. Any inputs, suggestions and fix will help.

Cheers!

Sachin-M-Desai avatar Mar 14 '22 03:03 Sachin-M-Desai

Could you share a pcap that exhibits this problem ?

"name":"Sec-Fetch-Site", "value":"same-oriPOST /getBalance"

Looks like something went wrong indeed

catenacyber avatar Mar 14 '22 16:03 catenacyber

Unfortunately, this happened on the prod where do not have much control over the environment. The customer was running a load test. This is as much information as we have today.

Sachin-M-Desai avatar Mar 15 '22 02:03 Sachin-M-Desai

I am not sure I have enough input data to find and fix the bug. It looks like some data was dropped between Sec-Fetch-Site: same-ori and POST /getBalance, data beginning with gin\n but I do not see how it could get dropped...

catenacyber avatar Mar 15 '22 21:03 catenacyber

What could help here? We usually wont be in a position to collect a pcap on prod (especially when it belongs to someone else). Will Suricata stats help here?

Sachin-M-Desai avatar Mar 16 '22 06:03 Sachin-M-Desai

Could you provide the eve.json flow event about this http flow ?

catenacyber avatar Mar 16 '22 08:03 catenacyber

Do you still need anything on this ?

catenacyber avatar Apr 07 '23 14:04 catenacyber

Feel free to reopen with more details

catenacyber avatar Jan 25 '24 10:01 catenacyber