From: Russ Combs (rucombs) Date: Wed, 27 Jul 2016 15:14:10 +0000 (-0400) Subject: Merge pull request #568 in SNORT/snort3 from nhttp50 to master X-Git-Tag: 3.0.0-233~324 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f0c2cf;p=thirdparty%2Fsnort3.git Merge pull request #568 in SNORT/snort3 from nhttp50 to master Squashed commit of the following: commit d3a67eb2a549d929917a8f4b42ac9c5b4b00c0c8 Author: Tom Peters Date: Tue Jul 26 16:11:06 2016 -0400 Unbounded POST alert --- diff --git a/src/service_inspectors/nhttp_inspect/nhttp_enum.h b/src/service_inspectors/nhttp_inspect/nhttp_enum.h index 2b02b7a89..515de7b2b 100644 --- a/src/service_inspectors/nhttp_inspect/nhttp_enum.h +++ b/src/service_inspectors/nhttp_inspect/nhttp_enum.h @@ -189,6 +189,7 @@ enum Infraction INF_FINAL_NOT_CHUNKED, INF_CHUNKED_BEFORE_END, INF_OVERSIZE_DIR, + INF_POST_WO_BODY, INF__MAX_VALUE }; diff --git a/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc b/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc index f747058a8..7e7d607c7 100644 --- a/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc +++ b/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc @@ -150,6 +150,14 @@ void NHttpMsgHeader::update_flow() if (source_id == SRC_CLIENT) { // No body + if ((method_id == METH_POST) || (method_id == METH_PUT)) + { + // Despite the name of this event, we assume for parsing purposes that this POST or PUT + // does not have a body rather than running to connection close. Obviously that is just + // an assumption. + infractions += INF_POST_WO_BODY; + events.create_event(EVENT_UNBOUNDED_POST); + } session_data->half_reset(source_id); return; }