Merge pull request #568 in SNORT/snort3 from nhttp50 to master

Squashed commit of the following:

commit d3a67eb2a549d929917a8f4b42ac9c5b4b00c0c8
Author: Tom Peters <thopeter@cisco.com>
Date:   Tue Jul 26 16:11:06 2016 -0400

    Unbounded POST alert

diff --git a/src/service_inspectors/nhttp_inspect/nhttp_enum.h b/src/service_inspectors/nhttp_inspect/nhttp_enum.h
index 2b02b7a891b98e7c81fd9116f5a48ee4856aeb9d..515de7b2bfcc50a861641af658fb43dceda086d4 100644 (file)
--- a/src/service_inspectors/nhttp_inspect/nhttp_enum.h
+++ b/src/service_inspectors/nhttp_inspect/nhttp_enum.h
@@ -189,6 +189,7 @@ enum Infraction
     INF_FINAL_NOT_CHUNKED,
     INF_CHUNKED_BEFORE_END,
     INF_OVERSIZE_DIR,
+    INF_POST_WO_BODY,
     INF__MAX_VALUE
 };
 

diff --git a/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc b/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc
index f747058a8a0233556c65b16a1d6d742cf7069e6b..7e7d607c76cd0aebc64e75407c52d818170db335 100644 (file)
--- a/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc
+++ b/src/service_inspectors/nhttp_inspect/nhttp_msg_header.cc
@@ -150,6 +150,14 @@ void NHttpMsgHeader::update_flow()
     if (source_id == SRC_CLIENT)
     {
         // No body
+        if ((method_id == METH_POST) || (method_id == METH_PUT))
+        {
+            // Despite the name of this event, we assume for parsing purposes that this POST or PUT
+            // does not have a body rather than running to connection close. Obviously that is just
+            // an assumption.
+            infractions += INF_POST_WO_BODY;
+            events.create_event(EVENT_UNBOUNDED_POST);
+        }
         session_data->half_reset(source_id);
         return;
     }