AnsweredAssumed Answered

HTTP parser and alias.host

Question asked by RSA Admin Employee on Dec 10, 2014
Latest reply on Dec 11, 2014 by RSA Admin

Recently we noticed that some sessions (not all) that contain HTTP requests with an IP address in the "Host" header are not getting populated with the alias.host meta.  My question is: how does the HTTP parser decide what value to assign to that meta?  Also, is this common or expected behavior?

 

If it helps, many of the sessions with this issue are very simple.  A completely fabricated, but syntactically accurate example:

 

POST / HTTP/1.0

Accept: */*

Content-Type: application/octet-stream

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Win32)

Host: 1.2.3.4

Content-length: 90

Connection: Keep-Alive

 

something://hostname.domain.tld/secretkey

 

All of this is happening on the latest 9.8 stack.  Not all sessions on each decoder are affected.  Thanks in advance for your help.

Outcomes