SIGS: Http header whitespace

kevross33 · February 20, 2025, 1:53pm

Experimental sigs for looking for whitespace errors in HTTP headers; that sometimes appear as mistakes especially in fake http headers.

Kind Regards,
Kevin Ross

alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Host Request header”; flow:established,to_server; content:“Host|3A 20 20|”; http_header; classtype:bad-unknown; sid:156001; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in User Agent Request header”; flow:established,to_server; content:“User-Agent|3A 20 20|”; http_header; classtype:bad-unknown; sid:156002; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Host Request header”; flow:established,to_server; content:“Host|3A 20 20|”; http_header; classtype:bad-unknown; sid:156003; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Referer Request header”; flow:established,to_server; content:“Referer|3A 20 20|”; http_header; classtype:bad-unknown; sid:156004; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Cookie Request header”; flow:established,to_server; content:“Cookie|3A 20 20|”; http_header; classtype:bad-unknown; sid:156005; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Connection Request header”; flow:established,to_server; content:“Connection|3A 20 20|”; http_header; classtype:bad-unknown; sid:156006; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Length Request header”; flow:established,to_server; content:“Length|3A 20 20|”; http_header; classtype:bad-unknown; sid:156007; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Content-Type Request header”; flow:established,to_server; content:“Content-Type|3A 20 20|”; http_header; classtype:bad-unknown; sid:156008; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Accept-Language Request header”; flow:established,to_server; content:“Accept-Language|3A 20 20|”; http_header; classtype:bad-unknown; sid:156009; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Accept-Encoding Request header”; flow:established,to_server; content:“Accept-Encoding|3A 20 20|”; http_header; classtype:bad-unknown; sid:156010; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Authorization Request header”; flow:established,to_server; content:“Authorization|3A 20 20|”; http_header; classtype:bad-unknown; sid:156011; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Authorization Request header”; flow:established,to_server; content:“Authorization|3A 20 20|”; http_header; classtype:bad-unknown; sid:156012; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Expect Request header”; flow:established,to_server; content:“Expect|3A 20 20|”; http_header; classtype:bad-unknown; sid:156013; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Range Request header”; flow:established,to_server; content:“Expect|3A 20 20|”; http_header; classtype:bad-unknown; sid:156015; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Via Request header”; flow:established,to_server; content:“Via|3A 20 20|”; http_header; classtype:bad-unknown; sid:156016; rev:1;)
alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Content-Encoding Request header”; flow:established,to_server; content:“Content-Encoding|3A 20 20|”; http_header; classtype:bad-unknown; sid:156017; rev:1;)

This one may need looked at. I can’t remember if HTTP header argument allows for the return/newline in the header too.

alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET HUNTING Extra Whitespace in Termination of Request Header”; flow:established,to_server; content:“|20 0D 0A 0D 0A|”; http_header; classtype:bad-unknown; sid:156018; rev:1;)

bingohotdog · February 24, 2025, 8:45pm

Hi Kevin,

I’m looking into this submission and will provide updates once the rules are released.

Cheers,

EDIT: @kevross33 In RFC 7230 for HTTP/1.1, whitespace is defined as SP / HTAB or space and horizontal tabs. Were you strictly looking for spaces only? Or, can we add horizontal tabs to this detection logic?

Topic		Replies	Views
SIGS: W32/Badspace.Backdoor Rule Signatures	2	1775	May 14, 2024
NEW SIG: ET TROJAN Falsefont.Backdoor APT33 Initial Handshake Rule Signatures	1	221	March 22, 2024
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	339	December 19, 2023
BadSpace Sigs Rule Signatures	1	64	August 19, 2024
SIG: ET TROJAN SocGholish/Ghostweaver PowerShell Boinc Download Request Rule Signatures	2	121	March 5, 2025

SIGS: Http header whitespace

This one may need looked at. I can’t remember if HTTP header argument allows for the return/newline in the header too.

Related topics