alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;)
# Host header is invalid
alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;)
+# URI is terminated by non-compliant characters. RFC allows for space (0x20), but many implementations permit others like tab and more.
+alert http any any -> any any (msg:"SURICATA HTTP URI terminated by non-compliant character"; flow:established,to_server; app-layer-event:http.uri_delim_non_compliant; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221029; rev:1;)
-# next sid 2221029
+# next sid 2221030
HTTP_DECODER_EVENT_URI_HOST_INVALID},
{ "REQUEST_HEADER_HOST_INVALID",
HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+ { "URI_DELIM_NON_COMPLIANT",
+ HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
/* suricata warnings/errors */
{ "MULTIPART_GENERIC_ERROR",
* luckily, "Request server port=" is unique */
/* { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
{ "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
+ { "Request line: URI contains non-compliant delimiter", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
};
#define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH,
HTTP_DECODER_EVENT_URI_HOST_INVALID,
HTTP_DECODER_EVENT_HEADER_HOST_INVALID,
+ HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT,
/* suricata errors/warnings */
HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,
projects / thirdparty / suricata.git / commitdiff
