INF_TRUNCATED_MSG_BODY_CL,
INF_TRUNCATED_MSG_BODY_CHUNK,
INF_LONG_SCHEME,
+ INF_MULTIPLE_HOST_HDRS,
INF__MAX_VALUE
};
{
EVENT__NONE = -1,
EVENT_ASCII = 1,
- EVENT_DOUBLE_DECODE,
- EVENT_U_ENCODE,
- EVENT_BARE_BYTE,
- EVENT_OBSOLETE_BASE_36, // Previously used, do not reuse this number
- EVENT_UTF_8,
- EVENT_CODE_POINT_IN_URI,
- EVENT_MULTI_SLASH,
- EVENT_BACKSLASH_IN_URI,
- EVENT_SELF_DIR_TRAV, // 10
- EVENT_DIR_TRAV,
- EVENT_APACHE_WS,
- EVENT_LF_WITHOUT_CR,
- EVENT_NON_RFC_CHAR,
- EVENT_OVERSIZE_DIR,
- EVENT_LARGE_CHUNK,
- EVENT_PROXY_USE,
- EVENT_WEBROOT_DIR,
- EVENT_LONG_HDR,
- EVENT_MAX_HEADERS, // 20
- EVENT_MULTIPLE_CONTLEN,
- EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, // Previously used, do not reuse this number
- EVENT_INVALID_TRUEIP,
- EVENT_MULTIPLE_HOST_HDRS,
- EVENT_LONG_HOSTNAME,
- EVENT_EXCEEDS_SPACES,
- EVENT_CONSECUTIVE_SMALL_CHUNKS,
- EVENT_UNBOUNDED_POST,
- EVENT_MULTIPLE_TRUEIP_IN_SESSION,
- EVENT_BOTH_TRUEIP_XFF_HDRS, // 30
- EVENT_UNKNOWN_METHOD,
- EVENT_SIMPLE_REQUEST,
- EVENT_UNESCAPED_SPACE_URI,
- EVENT_PIPELINE_MAX,
+ EVENT_DOUBLE_DECODE = 2,
+ EVENT_U_ENCODE = 3,
+ EVENT_BARE_BYTE = 4,
+ // EVENT_OBSOLETE_BASE_36 = 5, // Previously used, do not reuse this number
+ EVENT_UTF_8 = 6,
+ EVENT_CODE_POINT_IN_URI = 7,
+ EVENT_MULTI_SLASH = 8,
+ EVENT_BACKSLASH_IN_URI = 9,
+ EVENT_SELF_DIR_TRAV = 10,
+ EVENT_DIR_TRAV = 11,
+ EVENT_APACHE_WS = 12,
+ EVENT_LF_WITHOUT_CR = 13,
+ EVENT_NON_RFC_CHAR = 14,
+ EVENT_OVERSIZE_DIR = 15,
+ // EVENT_LARGE_CHUNK = 16,
+ // EVENT_PROXY_USE = 17,
+ EVENT_WEBROOT_DIR = 18,
+ EVENT_LONG_HDR = 19,
+ EVENT_MAX_HEADERS = 20,
+ EVENT_MULTIPLE_CONTLEN = 21,
+ // EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH = 22, // Previously used, do not reuse this number
+ // EVENT_INVALID_TRUEIP = 23,
+ EVENT_MULTIPLE_HOST_HDRS = 24,
+ // EVENT_LONG_HOSTNAME = 25,
+ // EVENT_EXCEEDS_SPACES = 26,
+ // EVENT_CONSECUTIVE_SMALL_CHUNKS = 27,
+ EVENT_UNBOUNDED_POST = 28,
+ // EVENT_MULTIPLE_TRUEIP_IN_SESSION = 29,
+ // EVENT_BOTH_TRUEIP_XFF_HDRS = 30,
+ EVENT_UNKNOWN_METHOD = 31,
+ EVENT_SIMPLE_REQUEST = 32,
+ EVENT_UNESCAPED_SPACE_URI = 33,
+ EVENT_PIPELINE_MAX = 34,
- EVENT_OBSOLETE_ANOM_SERVER = 101, // Previously used, do not reuse this number
- EVENT_INVALID_STATCODE,
- EVENT_UNUSED_1,
- EVENT_UTF_NORM_FAIL,
- EVENT_UTF7,
- EVENT_DECOMPR_FAILED,
- EVENT_CONSECUTIVE_SMALL_CHUNKS_S,
- EVENT_UNUSED_2,
- EVENT_JS_OBFUSCATION_EXCD,
- EVENT_JS_EXCESS_WS, // 110
- EVENT_MIXED_ENCODINGS,
- EVENT_SWF_ZLIB_FAILURE,
- EVENT_SWF_LZMA_FAILURE,
- EVENT_PDF_DEFL_FAILURE,
- EVENT_PDF_UNSUP_COMP_TYPE,
- EVENT_PDF_CASC_COMP,
- EVENT_PDF_PARSE_FAILURE, // 117
+ // EVENT_OBSOLETE_ANOM_SERVER = 101, // Previously used, do not reuse this number
+ EVENT_INVALID_STATCODE = 102,
+ // EVENT_UNUSED_1 = 103,
+ EVENT_UTF_NORM_FAIL = 104,
+ EVENT_UTF7 = 105,
+ // EVENT_DECOMPR_FAILED = 106,
+ // EVENT_CONSECUTIVE_SMALL_CHUNKS_S = 107,
+ // EVENT_UNUSED_2 = 108,
+ EVENT_JS_OBFUSCATION_EXCD = 109,
+ EVENT_JS_EXCESS_WS = 110,
+ EVENT_MIXED_ENCODINGS = 111,
+ EVENT_SWF_ZLIB_FAILURE = 112,
+ EVENT_SWF_LZMA_FAILURE = 113,
+ EVENT_PDF_DEFL_FAILURE = 114,
+ EVENT_PDF_UNSUP_COMP_TYPE = 115,
+ EVENT_PDF_CASC_COMP = 116,
+ EVENT_PDF_PARSE_FAILURE = 117,
EVENT_LOSS_OF_SYNC = 201,
- EVENT_CHUNK_ZEROS,
- EVENT_WS_BETWEEN_MSGS,
- EVENT_URI_MISSING,
- EVENT_CTRL_IN_REASON,
- EVENT_IMPROPER_WS,
- EVENT_BAD_VERS,
- EVENT_UNKNOWN_VERS,
- EVENT_BAD_HEADER,
- EVENT_CHUNK_OPTIONS, // 210
- EVENT_URI_BAD_FORMAT,
- EVENT_UNKNOWN_PERCENT,
- EVENT_BROKEN_CHUNK,
- EVENT_CHUNK_WHITESPACE,
- EVENT_HEAD_NAME_WHITESPACE,
- EVENT_GZIP_OVERRUN,
- EVENT_GZIP_FAILURE,
- EVENT_ZERO_NINE_CONTINUE,
- EVENT_ZERO_NINE_NOT_FIRST,
- EVENT_BOTH_CL_AND_TE, // 220
- EVENT_BAD_CODE_BODY_HEADER,
- EVENT_BAD_TE_HEADER,
- EVENT_PADDED_TE_HEADER,
- EVENT_MISFORMATTED_HTTP,
- EVENT_UNSUPPORTED_ENCODING,
- EVENT_UNKNOWN_ENCODING,
- EVENT_STACKED_ENCODINGS,
- EVENT_RESPONSE_WO_REQUEST,
- EVENT_FILE_DECOMPR_OVERRUN,
- EVENT_BAD_CHAR_IN_HEADER_NAME, // 230
- EVENT_BAD_CONTENT_LENGTH,
- EVENT_HEADER_WRAPPING,
- EVENT_CR_WITHOUT_LF,
- EVENT_CHUNK_BAD_SEP,
- EVENT_CHUNK_BARE_LF,
- EVENT_MULTIPLE_100_RESPONSES,
- EVENT_UNEXPECTED_100_RESPONSE,
- EVENT_UNKNOWN_1XX_STATUS,
- EVENT_EXPECT_WITHOUT_BODY,
- EVENT_CHUNKED_ONE_POINT_ZERO, // 240
- EVENT_CTE_HEADER,
- EVENT_ILLEGAL_TRAILER,
- EVENT_REPEATED_HEADER,
- EVENT_CONTENT_ENCODING_CHUNKED,
- EVENT_206_WITHOUT_RANGE,
- EVENT_VERSION_NOT_UPPERCASE,
- EVENT_BAD_HEADER_WHITESPACE,
- EVENT_GZIP_EARLY_END,
- EVENT_EXCESS_REPEAT_PARAMS,
- EVENT_H2_NON_IDENTITY_TE, // 250
- EVENT_H2_DATA_OVERRUNS_CL,
- EVENT_H2_DATA_UNDERRUNS_CL,
- EVENT_CONNECT_REQUEST_BODY,
- EVENT_EARLY_C2S_TRAFFIC_AFTER_CONNECT,
- EVENT_200_CONNECT_RESP_WITH_CL,
- EVENT_200_CONNECT_RESP_WITH_TE,
- EVENT_100_CONNECT_RESP,
- EVENT_EARLY_CONNECT_RESPONSE,
- EVENT_MALFORMED_CD_FILENAME,
- EVENT_TRUNCATED_MSG_BODY_CL, // 260
- EVENT_TRUNCATED_MSG_BODY_CHUNK,
- EVENT_LONG_SCHEME, // 262
+ EVENT_CHUNK_ZEROS = 202,
+ EVENT_WS_BETWEEN_MSGS = 203,
+ EVENT_URI_MISSING = 204,
+ EVENT_CTRL_IN_REASON = 205,
+ EVENT_IMPROPER_WS = 206,
+ EVENT_BAD_VERS = 207,
+ EVENT_UNKNOWN_VERS = 208,
+ EVENT_BAD_HEADER = 209,
+ EVENT_CHUNK_OPTIONS = 210,
+ EVENT_URI_BAD_FORMAT = 211,
+ EVENT_UNKNOWN_PERCENT = 212,
+ EVENT_BROKEN_CHUNK = 213,
+ EVENT_CHUNK_WHITESPACE = 214,
+ EVENT_HEAD_NAME_WHITESPACE = 215,
+ EVENT_GZIP_OVERRUN = 216,
+ EVENT_GZIP_FAILURE = 217,
+ EVENT_ZERO_NINE_CONTINUE = 218,
+ EVENT_ZERO_NINE_NOT_FIRST = 219,
+ EVENT_BOTH_CL_AND_TE = 220,
+ EVENT_BAD_CODE_BODY_HEADER = 221,
+ EVENT_BAD_TE_HEADER = 222,
+ EVENT_PADDED_TE_HEADER = 223,
+ EVENT_MISFORMATTED_HTTP = 224,
+ EVENT_UNSUPPORTED_ENCODING = 225,
+ EVENT_UNKNOWN_ENCODING = 226,
+ EVENT_STACKED_ENCODINGS = 227,
+ EVENT_RESPONSE_WO_REQUEST = 228,
+ EVENT_FILE_DECOMPR_OVERRUN = 229,
+ EVENT_BAD_CHAR_IN_HEADER_NAME = 230,
+ EVENT_BAD_CONTENT_LENGTH = 231,
+ EVENT_HEADER_WRAPPING = 232,
+ EVENT_CR_WITHOUT_LF = 233,
+ EVENT_CHUNK_BAD_SEP = 234,
+ EVENT_CHUNK_BARE_LF = 235,
+ EVENT_MULTIPLE_100_RESPONSES = 236,
+ EVENT_UNEXPECTED_100_RESPONSE = 237,
+ EVENT_UNKNOWN_1XX_STATUS = 238,
+ EVENT_EXPECT_WITHOUT_BODY = 239,
+ EVENT_CHUNKED_ONE_POINT_ZERO = 240,
+ EVENT_CTE_HEADER = 241,
+ EVENT_ILLEGAL_TRAILER = 242,
+ EVENT_REPEATED_HEADER = 243,
+ EVENT_CONTENT_ENCODING_CHUNKED = 244,
+ EVENT_206_WITHOUT_RANGE = 245,
+ EVENT_VERSION_NOT_UPPERCASE = 246,
+ EVENT_BAD_HEADER_WHITESPACE = 247,
+ EVENT_GZIP_EARLY_END = 248,
+ EVENT_EXCESS_REPEAT_PARAMS = 249,
+ EVENT_H2_NON_IDENTITY_TE = 250,
+ EVENT_H2_DATA_OVERRUNS_CL = 251,
+ EVENT_H2_DATA_UNDERRUNS_CL = 252,
+ EVENT_CONNECT_REQUEST_BODY = 253,
+ EVENT_EARLY_C2S_TRAFFIC_AFTER_CONNECT = 254,
+ EVENT_200_CONNECT_RESP_WITH_CL = 255,
+ EVENT_200_CONNECT_RESP_WITH_TE = 256,
+ EVENT_100_CONNECT_RESP = 257,
+ EVENT_EARLY_CONNECT_RESPONSE = 258,
+ EVENT_MALFORMED_CD_FILENAME = 259,
+ EVENT_TRUNCATED_MSG_BODY_CL = 260,
+ EVENT_TRUNCATED_MSG_BODY_CHUNK = 261,
+ EVENT_LONG_SCHEME = 262,
EVENT__MAX_VALUE
};
const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_BASIC
{ EVENT__NONE, INF__NONE, false, nullptr, nullptr, nullptr };
-const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_NO_REPEAT
- { EVENT_REPEATED_HEADER, INF_REPEATED_HEADER, false, nullptr, nullptr, nullptr };
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_HOST
+ { EVENT_MULTIPLE_HOST_HDRS, INF_MULTIPLE_HOST_HDRS, false, nullptr, nullptr, nullptr };
const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_CASE_INSENSITIVE
{ EVENT__NONE, INF__NONE, false, norm_to_lower, nullptr, nullptr };
&NORMALIZER_BASIC, // HEAD_AUTHORIZATION
&NORMALIZER_CASE_INSENSITIVE, // HEAD_EXPECT
&NORMALIZER_BASIC, // HEAD_FROM
- &NORMALIZER_NO_REPEAT, // HEAD_HOST
+ &NORMALIZER_HOST, // HEAD_HOST
&NORMALIZER_BASIC, // HEAD_IF_MATCH
&NORMALIZER_DATE, // HEAD_IF_MODIFIED_SINCE
&NORMALIZER_BASIC, // HEAD_IF_NONE_MATCH
{ EVENT_DOUBLE_DECODE, "double decoding attack" },
{ EVENT_U_ENCODE, "u encoding" },
{ EVENT_BARE_BYTE, "bare byte unicode encoding" },
- { EVENT_OBSOLETE_BASE_36, "obsolete event--deleted" },
+ // { EVENT_OBSOLETE_BASE_36, "obsolete event--deleted" },
{ EVENT_UTF_8, "UTF-8 encoding" },
{ EVENT_CODE_POINT_IN_URI, "unicode map code point encoding in URI" },
{ EVENT_MULTI_SLASH, "multi_slash encoding" },
{ EVENT_LF_WITHOUT_CR, "HTTP header line terminated by LF without a CR" },
{ EVENT_NON_RFC_CHAR, "non-RFC defined char" },
{ EVENT_OVERSIZE_DIR, "oversize request-uri directory" },
- { EVENT_LARGE_CHUNK, "oversize chunk encoding" },
- { EVENT_PROXY_USE, "unauthorized proxy use detected" },
+ // { EVENT_LARGE_CHUNK, "oversize chunk encoding" },
+ // { EVENT_PROXY_USE, "unauthorized proxy use detected" },
{ EVENT_WEBROOT_DIR, "webroot directory traversal" },
{ EVENT_LONG_HDR, "long header" },
{ EVENT_MAX_HEADERS, "max header fields" },
{ EVENT_MULTIPLE_CONTLEN, "multiple content length" },
- { EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, "obsolete event--deleted" },
- { EVENT_INVALID_TRUEIP, "invalid IP in true-client-IP/XFF header" },
- { EVENT_MULTIPLE_HOST_HDRS, "multiple host hdrs detected" },
- { EVENT_LONG_HOSTNAME, "hostname exceeds 255 characters" },
- { EVENT_EXCEEDS_SPACES, "too much whitespace in header (not implemented yet)" },
- { EVENT_CONSECUTIVE_SMALL_CHUNKS, "client consecutive small chunk sizes" },
+ // { EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, "obsolete event--deleted" },
+ // { EVENT_INVALID_TRUEIP, "invalid IP in true-client-IP/XFF header" },
+ { EVENT_MULTIPLE_HOST_HDRS, "Host header field appears more than once or has multiple "
+ "values" },
+ // { EVENT_LONG_HOSTNAME, "hostname exceeds 255 characters" },
+ // { EVENT_EXCEEDS_SPACES, "too much whitespace in header (not implemented yet)" },
+ // { EVENT_CONSECUTIVE_SMALL_CHUNKS, "client consecutive small chunk sizes" },
{ EVENT_UNBOUNDED_POST, "POST or PUT w/o content-length or chunks" },
- { EVENT_MULTIPLE_TRUEIP_IN_SESSION, "multiple true ips in a session" },
- { EVENT_BOTH_TRUEIP_XFF_HDRS, "both true-client-IP and XFF hdrs present" },
+ // { EVENT_MULTIPLE_TRUEIP_IN_SESSION, "multiple true ips in a session" },
+ // { EVENT_BOTH_TRUEIP_XFF_HDRS, "both true-client-IP and XFF hdrs present" },
{ EVENT_UNKNOWN_METHOD, "unknown method" },
{ EVENT_SIMPLE_REQUEST, "simple request" },
{ EVENT_UNESCAPED_SPACE_URI, "unescaped space in HTTP URI" },
{ EVENT_PIPELINE_MAX, "too many pipelined requests" },
- { EVENT_OBSOLETE_ANOM_SERVER, "obsolete event--deleted" },
+ // { EVENT_OBSOLETE_ANOM_SERVER, "obsolete event--deleted" },
{ EVENT_INVALID_STATCODE, "invalid status code in HTTP response" },
- { EVENT_UNUSED_1, "unused event number--should not appear" },
+ // { EVENT_UNUSED_1, "unused event number--should not appear" },
{ EVENT_UTF_NORM_FAIL, "HTTP response has UTF charset that failed to normalize" },
{ EVENT_UTF7, "HTTP response has UTF-7 charset" },
- { EVENT_DECOMPR_FAILED, "HTTP response gzip decompression failed" },
- { EVENT_CONSECUTIVE_SMALL_CHUNKS_S, "server consecutive small chunk sizes" },
- { EVENT_UNUSED_2, "unused event number--should not appear" },
+ // { EVENT_DECOMPR_FAILED, "HTTP response gzip decompression failed" },
+ // { EVENT_CONSECUTIVE_SMALL_CHUNKS_S, "server consecutive small chunk sizes" },
+ // { EVENT_UNUSED_2, "unused event number--should not appear" },
{ EVENT_JS_OBFUSCATION_EXCD, "javascript obfuscation levels exceeds 1" },
{ EVENT_JS_EXCESS_WS, "javascript whitespaces exceeds max allowed" },
{ EVENT_MIXED_ENCODINGS, "multiple encodings within javascript obfuscated data" },
projects / thirdparty / snort3.git / commitdiff
