Recently we noticed that some sessions (not all) that contain HTTP requests with an IP address in the "Host" header are not getting populated with the alias.host meta. My question is: how does the HTTP parser decide what value to assign to that meta? Also, is this common or expected behavior?
If it helps, many of the sessions with this issue are very simple. A completely fabricated, but syntactically accurate example:
POST / HTTP/1.0
Accept: */*
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Win32)
Host: 1.2.3.4
Content-length: 90
Connection: Keep-Alive
something://hostname.domain.tld/secretkey
All of this is happening on the latest 9.8 stack. Not all sessions on each decoder are affected. Thanks in advance for your help.
Short answer: it is expected.
Long answer:
The native OOTB parser 'HTTP' will register whatever is in a HOST: header as alias.host meta - whether it is or not. That can cause problems down the line with feeds, app rules, etc. Even the TLD parser would get an ip address in an alias.host meta and register the last quad as tld meta - which caused many calls to Support.
So that was corrected in http-flex. It determines if the value of a host header is a hostname, IPv4, or IPv6 and registers it appropriately (alias.host, alias.ip, or alias.ipv6, respectively). HTTP_lua does the same.
So for the session above, you should see alias.ip meta containing "1.2.3.4"