Merge pull request #2717 in SNORT/snort3 from ~KATHARVE/snort3:hi_scheme_length to...

author Mike Stepanek (mstepane) <mstepane@cisco.com>

Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)

committer Mike Stepanek (mstepane) <mstepane@cisco.com>

Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)
author Mike Stepanek (mstepane) <mstepane@cisco.com>
Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)
committer Mike Stepanek (mstepane) <mstepane@cisco.com>
Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)
diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h

index b28b03ffedddad9944b2fe1b3febbfa5c713fe21..da5a358304189501942f1454aafdef2e31159357 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -246,6 +246,7 @@ enum Infraction
      INF_HTTP2_IN_HI,
      INF_TRUNCATED_MSG_BODY_CL,
      INF_TRUNCATED_MSG_BODY_CHUNK,
+    INF_LONG_SCHEME,
      INF__MAX_VALUE
  };
  
@@ -372,10 +373,11 @@ enum EventSid
      EVENT_200_CONNECT_RESP_WITH_CL,
      EVENT_200_CONNECT_RESP_WITH_TE,
      EVENT_100_CONNECT_RESP,
-    EVENT_EARLY_CONNECT_RESPONSE,          // 258
+    EVENT_EARLY_CONNECT_RESPONSE,
      EVENT_MALFORMED_CD_FILENAME,
-    EVENT_TRUNCATED_MSG_BODY_CL,
+    EVENT_TRUNCATED_MSG_BODY_CL,           // 260
      EVENT_TRUNCATED_MSG_BODY_CHUNK,
+    EVENT_LONG_SCHEME,                     // 262
      EVENT__MAX_VALUE
  };
  
diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc

index 47505096164fb909e910963677f714c389beba86..e437fb67246d82eb9a83f70fbb5efa3aa10c0050 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_request.cc
+++ b/src/service_inspectors/http_inspect/http_msg_request.cc
@@ -255,6 +255,12 @@ void HttpMsgRequest::gen_events()
      if (method_id == METH__OTHER)
          create_event(EVENT_UNKNOWN_METHOD);
  
+    if (uri && uri->get_scheme().length() > LONG_SCHEME_LENGTH)
+    {
+        create_event(EVENT_LONG_SCHEME);
+        add_infraction(INF_LONG_SCHEME);
+    }
+
      if (session_data->zero_nine_expected != 0)
      {
          // Previous 0.9 request on this connection should have been the last request message
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc

index 7b95fb0a5adaeed410c40ffb9c9d2fea8a5a18f4..32c2c559710afa7d397573a5c6220b741ebb92e0 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -406,6 +406,7 @@ const RuleMap HttpModule::http_events[] =
      { EVENT_MALFORMED_CD_FILENAME,      "malformed HTTP Content-Disposition filename parameter" },
      { EVENT_TRUNCATED_MSG_BODY_CL,      "HTTP Content-Length message body was truncated" },
      { EVENT_TRUNCATED_MSG_BODY_CHUNK,   "HTTP chunked message body was truncated" },
+    { EVENT_LONG_SCHEME,                "HTTP URI scheme longer than 10 characters" },
      { 0, nullptr }
  };
  
diff --git a/src/service_inspectors/http_inspect/http_uri.cc b/src/service_inspectors/http_inspect/http_uri.cc

index 22a6ca454a0366b8fe97d0f815b87dd0a739ae4f..2a6b690c82bbc638af04a67858cac79991ae5da1 100644 (file)
--- a/src/service_inspectors/http_inspect/http_uri.cc
+++ b/src/service_inspectors/http_inspect/http_uri.cc
@@ -69,10 +69,11 @@ void HttpUri::parse_uri()
              j++);
          for (k = j+3; (k < uri.length()) && (uri.start()[k] != '/'); k++);
  
-        // Verify that 1) we found ://, 2) we found /, 3) scheme begins with a letter, and
-        // 4) scheme consists of legal characters (RFC 3986 3.1)
+        // Verify that 1) we found ://, 2) we found /, 3) scheme begins with a letter,
+        // 4) scheme consists of legal characters (RFC 3986 3.1) and 5) scheme is no more than 36
+        // characters in length
          if ((k < uri.length()) && (uri.start()[j] == ':') && (uri.start()[j+1] == '/') &&
-            (uri.start()[j+2] == '/') && (uri.start()[0] >= 'A'))
+            (uri.start()[j+2] == '/') && (uri.start()[0] >= 'A') && j <= MAX_SCHEME_LENGTH)
          {
              uri_type = URI_ABSOLUTE;
              scheme.set(j, uri.start());
diff --git a/src/service_inspectors/http_inspect/http_uri.h b/src/service_inspectors/http_inspect/http_uri.h

index 4e782edd62861827a99ff54d6aa2bf52d33124e2..35b9dab1e90763989a91775f041487dc1782cab4 100644 (file)
--- a/src/service_inspectors/http_inspect/http_uri.h
+++ b/src/service_inspectors/http_inspect/http_uri.h
@@ -26,6 +26,9 @@
  #include "http_field.h"
  #include "http_event.h"
  
+static const int MAX_SCHEME_LENGTH = 36; // schemes longer than 36 characters are malformed
+static const int LONG_SCHEME_LENGTH = 10; // schemes longer than 10 characters will alert
+
  //-------------------------------------------------------------------------
  // HttpUri class
  //-------------------------------------------------------------------------
author	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)
committer	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Mon, 25 Jan 2021 14:46:57 +0000 (14:46 +0000)
src/service_inspectors/http_inspect/http_enum.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_msg_request.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_tables.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_uri.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_uri.h		patch \| blob \| blame \| history