HTTP new parser warning for Ambiguous C-L

diff --git a/rules/http-events.rules b/rules/http-events.rules
index 77a92b529eb19c0f1a06013f847629c8c7c24890..66ba09cdf5e318a9db9fe373930329f6b963cb0f 100644 (file)
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -76,4 +76,7 @@ alert http any any -> any any (msg:"SURICATA HTTP Unexpected Request body"; flow
 
 alert http any any -> any any (msg:"SURICATA HTTP LZMA reached its memory limit"; flow:established; app-layer-event:http.lzma_memlimit_reached; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221046; rev:1;)
 
-# next sid 2221047
+alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field in request"; flow:established,to_server; app-layer-event:http.duplicate_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221047; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field in response"; flow:established,to_client; app-layer-event:http.duplicate_content_length_field_in_response; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221048; rev:1;)
+
+# next sid 2221049

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 737f25f160de9e81a34d38b0fc34817300ae1189..55f9a7a949f3d96276e9b2d4e98f7489892c3059 100644 (file)
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -114,6 +114,10 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST},
     { "INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE",
         HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE},
+    { "DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST",
+        HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST},
+    { "DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE",
+        HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE},
     { "100_CONTINUE_ALREADY_SEEN",
         HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN},
     { "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST",
@@ -591,6 +595,8 @@ struct {
     { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
     { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED},
     { "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED},
+    { "Ambiguous request C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST},
+    { "Ambiguous response C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE},
 };
 
 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))

diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 51ae1ad32ab921435a502a511bd7a9139f5fbaa5..9c244202078dde331bc9508ee565eb880dcf7e1f 100644 (file)
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -89,6 +89,8 @@ enum {
     HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE,
     HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST,
     HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE,
+    HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST,
+    HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE,
     HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN,
     HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST,
     HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST,