105:1
-Back orifice traffic detected, unknown direction
+Back Orifice traffic detected, unknown direction
105:2
-Back orifice client traffic detected
+Back Orifice client traffic detected
105:3
-Back orifice server traffic detected
+Back Orifice server traffic detected
105:4
-Back orifice length field >= 1024 bytes
+Back Orifice length field >= 1024 bytes
106:1
119:2
-URI is percent encoded and the result is percent encoded again. This alert can only be generated if
+URI contains double-encoded hexadecimal characters. This alert can only be generated if
the iis_double_decode option is configured.
119:3
119:9
The backslash character appears in the path portion of a URI. This alert can only be generated if
-the backslash_to_slash option is configured.
+the backslash_to_slash option is configured
119:10
121:15
-HTTP/2 push promise frame with promised stream ID already in use.
+HTTP/2 push promise frame with promised stream ID already in use
121:16
#define BO_SNORT_BUFFER_ATTACK 4
#define BO_TRAFFIC_DETECT_STR \
- "Back orifice traffic detected, unknown direction"
+ "Back Orifice traffic detected, unknown direction"
#define BO_CLIENT_TRAFFIC_DETECT_STR \
- "Back orifice client traffic detected"
+ "Back Orifice client traffic detected"
#define BO_SERVER_TRAFFIC_DETECT_STR \
- "Back orifice server traffic detected"
+ "Back Orifice server traffic detected"
#define BO_SNORT_BUFFER_ATTACK_STR \
- "Back orifice length field >= 1024 bytes"
+ "Back Orifice length field >= 1024 bytes"
static const RuleMap bo_rules[] =
{
{ EVENT_SETTINGS_FRAME_UNKN_PARAM, "unknown parameter in HTTP/2 settings frame" },
{ EVENT_FRAME_SEQUENCE, "invalid HTTP/2 frame sequence" },
{ EVENT_DYNAMIC_TABLE_OVERFLOW, "HTTP/2 dynamic table has more than 512 entries" },
- { EVENT_INVALID_PROMISED_STREAM, "HTTP/2 push promise frame with promised stream ID already in use." },
+ { EVENT_INVALID_PROMISED_STREAM, "HTTP/2 push promise frame with promised stream ID already in use" },
{ EVENT_PADDING_LEN, "HTTP/2 padding length is bigger than frame data size" },
{ EVENT_PSEUDO_HEADER_AFTER_REGULAR_HEADER, "HTTP/2 pseudo-header after regular header" },
{ EVENT_PSEUDO_HEADER_IN_TRAILERS, "HTTP/2 pseudo-header in trailers" },
const RuleMap HttpModule::http_events[] =
{
{ EVENT_ASCII, "URI has percent-encoding of an unreserved character" },
- { EVENT_DOUBLE_DECODE, "URI is percent encoded and the result is percent encoded "
- "again" },
+ { EVENT_DOUBLE_DECODE, "URI contains double-encoded hexadecimal characters" },
{ EVENT_U_ENCODE, "URI has non-standard %u-style Unicode encoding" },
{ EVENT_BARE_BYTE, "URI has Unicode encodings containing bytes that were not "
"percent-encoded" },
{ EVENT_UTF_8, "URI has two-byte or three-byte UTF-8 encoding" },
{ EVENT_CODE_POINT_IN_URI, "URI has unicode map code point encoding" },
{ EVENT_MULTI_SLASH, "URI path contains consecutive slash characters" },
- { EVENT_BACKSLASH_IN_URI, "backslash character appears in the path portion of a URI."
+ { EVENT_BACKSLASH_IN_URI, "backslash character appears in the path portion of a URI"
},
{ EVENT_SELF_DIR_TRAV, "URI path contains /./ pattern repeating the current "
"directory" },
{ EVENT_JS_CODE_IN_EXTERNAL, "JavaScript code under the external script tags" },
{ EVENT_JS_SHORTENED_TAG, "script opening tag in a short form" },
{ EVENT_JS_IDENTIFIER_OVERFLOW, "max number of unique JavaScript identifiers reached" },
- { EVENT_JS_BRACKET_NEST_OVERFLOW, "JavaScript bracket nesting is over capacity" },
+ { EVENT_JS_BRACKET_NEST_OVERFLOW, "excessive JavaScript bracket nesting" },
{ EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding "
"header" },
{ EVENT_JS_PDU_MISS, "missed PDUs during JavaScript normalization" },
- { EVENT_JS_SCOPE_NEST_OVERFLOW, "JavaScript scope nesting is over capacity" },
+ { EVENT_JS_SCOPE_NEST_OVERFLOW, "excessive JavaScript scope nesting" },
{ EVENT_INVALID_SUBVERSION, "HTTP/1 version other than 1.0 or 1.1" },
{ EVENT_VERSION_0, "HTTP version in start line is 0" },
{ EVENT_VERSION_HIGHER_THAN_1, "HTTP version in start line is higher than 1" },
projects / thirdparty / snort3.git / commitdiff
