https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567426#M92691 <P>Should this signature trigger for:</P><P>GET /\r\n</P><P></P><P>I thought it should trigger for something like:</P><P>GET /\rHTTP/1.1\r\n\r\n</P> Sun, 10 Mar 2019 10:09:15 GMT m-hansson 2019-03-10T10:09:15Z https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567426#M92691 <P>Should this signature trigger for:</P><P>GET /\r\n</P><P></P><P>I thought it should trigger for something like:</P><P>GET /\rHTTP/1.1\r\n\r\n</P> Sun, 10 Mar 2019 10:09:15 GMT https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567426#M92691 m-hansson 2019-03-10T10:09:15Z https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567427#M92694 <HTML><HEAD></HEAD><BODY><P>It will trigger on both, as you do not normally see the \r\n in the actual stream but as a terminating character of the request. The first example looks like it has \r\n before you see HTTP version, hence you would assume that the \r\n is premature in the stream.</P><P></P><P>I hope that helps.</P><P>-jonathan</P></BODY></HTML> Tue, 08 Aug 2006 07:35:26 GMT https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567427#M92694 jlimbo 2006-08-08T07:35:26Z https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567428#M92695 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P>No this is actually the entire request. Should not trigger in my opinion. Let me guess, you will tell me that is does not follow RFC standards? <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Tue, 08 Aug 2006 07:47:16 GMT https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567428#M92695 m-hansson 2006-08-08T07:47:16Z https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567429#M92696 <HTML><HEAD></HEAD><BODY><P>HTTP clients *should* send http version information with the exception of HTTP/0.9, which did not include version numbers. RFC 2145 further clarifies the http specification author's intents. HTTP clients adhering to the robusteness principle and RFC 2145, and that are not http/0.9 clients should really have the version information there. I'll agree, it's not a *must*, but its normally there.</P><P></P><P>Adding a carriage return prior to the http version was also a way to evade Snort's uricontent rules.</P><P></P><P>I would consider a CR before the http version non standard, you might not, maybe we just agree to disagree on that point. In any case, I'll update the benign triggers section of the alert.</P><P></P><P></P></BODY></HTML> Tue, 08 Aug 2006 13:29:14 GMT https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567429#M92696 wsulym 2006-08-08T13:29:14Z https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567430#M92697 <HTML><HEAD></HEAD><BODY><P>Thanks Walter.</P><P></P><P>Once again I want to push for splitting this kind of signature into one that deals with the vulnerability and one with protocol abnormalies.</P><P></P><P>I'd really like to have this signature enabled because of the snort issue, but with the current amoumt of FP it is not an option.</P></BODY></HTML> Tue, 08 Aug 2006 14:01:43 GMT https://community.cisco.com/t5/network-security/malformed-http-request-5769-0/m-p/567430#M92697 m-hansson 2006-08-08T14:01:43Z