119:19
-HTTP header line exceeds 4096 bytes. This does not apply to the start line. Header line length
-includes both header field name and value.
+HTTP header line exceeds maximum_header_length option bytes. This does not apply to the start line.
+Header line length includes both header field name and value.
119:20
-HTTP message has more than 200 header fields.
+HTTP message has more than maximum_headers option header fields.
119:21
A lower limit may be configured by setting maximum_chunk_length. Any chunk
longer than maximum chunk length will generate a 119:16 alert.
+===== maximum_header_length
+
+http_inspect generates 119:19 when the length of a header exceeds
+maximum_header_length = N {0 : 65535} (default 4096).
+
+===== maximum_headers
+
+http_inspect generates 119:20 when the number of headers exceeds
+maximum_headers = N {0 : 65535} (default 200).
+
===== URI processing
Normalization and inspection of the URI in the HTTP request message is a
{ "maximum_chunk_length", Parameter::PT_INT, "0:4294967295", "4294967295",
"maximum allowed length for a message body chunk" },
+ { "maximum_header_length", Parameter::PT_INT, "0:65535", "4096",
+ "alert when the length of a header exceeds this value" },
+
+ { "maximum_headers", Parameter::PT_INT, "0:65535", "200",
+ "alert when the number of headers in a message exceeds this value" },
+
{ "normalize_utf", Parameter::PT_BOOL, nullptr, "true",
"normalize charset utf encodings in response bodies" },
{
params->maximum_chunk_length = val.get_int64();
}
+ else if (val.is("maximum_header_length"))
+ {
+ params->maximum_header_length = val.get_uint16();
+ }
+ else if (val.is("maximum_headers"))
+ {
+ params->maximum_headers = val.get_uint16();
+ }
else if (val.is("decompress_pdf"))
{
params->decompress_pdf = val.get_bool();
bool normalize_utf = true;
int64_t maximum_host_length = -1;
int64_t maximum_chunk_length = 0xFFFFFFFF;
+ uint16_t maximum_header_length = 4096;
+ uint16_t maximum_headers = 200;
bool decompress_pdf = false;
bool decompress_swf = false;
bool decompress_zip = false;
const int32_t header_length = find_next_header(msg_text.start() + bytes_used,
msg_text.length() - bytes_used, num_seps);
header_line[num_headers].set(header_length, msg_text.start() + bytes_used + num_seps);
- if (header_line[num_headers].length() > MAX_HEADER_LENGTH)
+ if (header_line[num_headers].length() > params->maximum_header_length)
{
add_infraction(INF_TOO_LONG_HEADER);
create_event(EVENT_LONG_HDR);
}
bytes_used += num_seps + header_line[num_headers].length();
- if (++num_headers >= MAX_HEADERS)
- {
- break;
- }
+ ++num_headers;
}
- if (bytes_used < msg_text.length())
+ if (num_headers > params->maximum_headers)
{
add_infraction(INF_TOO_MANY_HEADERS);
create_event(EVENT_MAX_HEADERS);
int32_t get_num_headers() const { return num_headers; }
int32_t get_content_type();
- static const int MAX_HEADERS = 200; // I'm an arbitrary number. FIXIT-RC
protected:
HttpMsgHeadShared(const uint8_t* buffer, const uint16_t buf_size,
HttpFlowData* session_data_, HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_,
// Do a case insensitive search for "boundary=" in a Field
static bool boundary_present(const Field& field);
+ // All of these are indexed by the relative position of the header field in the message
+
Field* header_line = nullptr;
HttpEnums::HeaderId* header_name_id = nullptr;
int32_t num_headers = HttpCommon::STAT_NOT_COMPUTE;
private:
static const int MAX = HttpEnums::HEAD__MAX_VALUE + HttpEnums::MAX_CUSTOM_HEADERS;
- // All of these are indexed by the relative position of the header field in the message
- static const int MAX_HEADER_LENGTH = 4096; // Based on max cookie size of some browsers
-
void parse_header_block();
int32_t find_next_header(const uint8_t* buffer, int32_t length, int32_t& num_seps);
void parse_header_lines();
"oversize_dir_length parameter" },
{ EVENT_LARGE_CHUNK, "chunk length exceeds configured maximum_chunk_length" },
{ EVENT_WEBROOT_DIR, "URI path includes /../ that goes above the root directory" },
- { EVENT_LONG_HDR, "HTTP header line exceeds 4096 bytes" },
- { EVENT_MAX_HEADERS, "HTTP message has more than 200 header fields" },
+ { EVENT_LONG_HDR, "HTTP header line exceeds maximum_header_length option bytes" },
+ { EVENT_MAX_HEADERS, "HTTP message has more than maximum_headers option header fields" },
{ EVENT_MULTIPLE_CONTLEN, "HTTP message has more than one Content-Length header value" },
{ EVENT_MULTIPLE_HOST_HDRS, "Host header field appears more than once or has multiple values" },
{ EVENT_LONG_HOSTNAME, "length of HTTP Host header field value exceeds maximum_host_length option" },
projects / thirdparty / snort3.git / commitdiff
