libhtp In the case of packet loss, there can be a mismatch between the request and response of a transaction.

In the case of packet loss, there can be a mismatch between the request and response of a transaction.

Open bingfengfeifei opened this issue 1 year ago • 1 comments

For example, in a TCP session with HTTP request and response packets:

Request 1 => GET /test.js Response 1 => Response for /test.js Request 2 => POST /api/v1/test Response 2 => Response for /api/v1/test

If there is packet loss, such as the loss of Response 1 and Request 2 packets, causing a packet gap, the libhtp may incorrectly combine Request 1 and Response 2 into a single transaction.

Oct 16 '23 01:10 bingfengfeifei

I think the scenario you describe is correct. Do you have a pcap to verify this ? (or even better a https://github.com/OISF/suricata-verify PR with a test)

How would you handle this ?

Oct 16 '23 07:10 catenacyber

libhtp libhtp copied to clipboard

In the case of packet loss, there can be a mismatch between the request and response of a transaction.

libhtp
libhtp copied to clipboard