Uploaded image for project: 'Bro Issue Tracker'
  1. BIT-1695

intel/seen/http-headers.bro doesn't normalize host header

    Details

    • Type: Problem
    • Status: Closed
    • Priority: Normal
    • Resolution: Merged
    • Affects Version/s: None
    • Fix Version/s: 2.5
    • Component/s: Bro
    • Labels:
      None
    • Sprint:

      Description

      The base http script does this before it logs host headers:

      event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
          {
          ...
              else if ( name == "HOST" )
                  # The split is done to remove the occasional port value that shows up here.
                  c$http$host = split_string1(value, /:/)[0];
      
      

      but the ./policy/frameworks/intel/seen/http-headers.bro does not remove the port. This may be causing DOMAIN records to not match.

        Attachments

          Activity

            People

            • Assignee:
              seth Seth Hall
              Reporter:
              JAzoff Justin Azoff
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: