alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow:established; app-layer-event:http2.invalid_range; classtype:protocol-command-decode; sid:2290010; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 variable-length integer overflow"; flow:established; app-layer-event:http2.header_integer_overflow; classtype:protocol-command-decode; sid:2290011; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:established; app-layer-event:http2.too_many_streams; classtype:protocol-command-decode; sid:2290012; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
}
fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) {
+ let mut authority = None;
+ let mut host = None;
for block in blocks {
if block.name == b"content-encoding" {
self.decoder.http2_encoding_fromvec(&block.value, dir);
+ } else if block.name.eq_ignore_ascii_case(b":authority") {
+ authority = Some(&block.value);
+ } else if block.name.eq_ignore_ascii_case(b"host") {
+ host = Some(&block.value);
+ }
+ }
+ if let Some(a) = authority {
+ if let Some(h) = host {
+ if !a.eq_ignore_ascii_case(h) {
+ // The event is triggered only if both headers
+ // are in the same frame to avoid excessive
+ // complexity at runtime.
+ self.set_event(HTTP2Event::AuthorityHostMismatch);
+ }
}
}
}
InvalidRange,
HeaderIntegerOverflow,
TooManyStreams,
+ AuthorityHostMismatch,
}
pub struct HTTP2DynTable {
projects / thirdparty / suricata.git / commitdiff
