http: new event for auth unrecognized

activates libhtp auth parsing
Fixes #984

diff --git a/rules/http-events.rules b/rules/http-events.rules
index bd81e559255c250c92c62c8f8fdcb676e0a25544..5d6d2875c95b2a4bf04d065d996e9e6edb01fb36 100644 (file)
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -52,5 +52,7 @@ alert http any any -> any any (msg:"SURICATA HTTP Request line with leading whit
 alert http any any -> any any (msg:"SURICATA HTTP Request too many encoding layers"; flow:established,to_server; app-layer-event:http.too_many_encoding_layers; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221032; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP Request abnormal Content-Encoding header"; flow:established,to_server; app-layer-event:http.abnormal_ce_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221033; rev:1;)
 
-# next sid 2221034
+alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;)
+
+# next sid 2221035
 

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 5c7a5ad50d915c8f18f82c4de9f9f5fa7c4b14d1..636e252454cc86a132a40b077b4374f691bbccb8 100644 (file)
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -144,6 +144,8 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_URI_HOST_INVALID},
     { "REQUEST_HEADER_HOST_INVALID",
         HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+    { "REQUEST_AUTH_UNRECOGNIZED",
+        HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED},
     { "URI_DELIM_NON_COMPLIANT",
         HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
     { "METHOD_DELIM_NON_COMPLIANT",
@@ -641,6 +643,13 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
             HTPSetEvent(s, htud,
                     HTTP_DECODER_EVENT_HEADER_HOST_INVALID);
     }
+    if (tx->request_auth_type == HTP_AUTH_UNRECOGNIZED) {
+        HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
+        if (htud == NULL)
+            return;
+
+        HTPSetEvent(s, htud, HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED);
+    }
 }
 
 static int Setup(Flow *f, HtpState *hstate)
@@ -2255,7 +2264,6 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
     htp_config_register_response_complete(cfg_prec->cfg, HTPCallbackResponse);
 
     htp_config_set_parse_request_cookies(cfg_prec->cfg, 0);
-    htp_config_set_parse_request_auth(cfg_prec->cfg, 0);
 
     /* don't convert + to space by default */
     htp_config_set_plusspace_decode(cfg_prec->cfg, HTP_DECODER_URLENCODED, 0);

diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 249c1cf3350a716f1c5dc427c699c38184b22cb6..8e1430771270902d1116a315f91416d09c8b85f0 100644 (file)
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -106,6 +106,7 @@ enum {
     HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE,
     HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS,
     HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER,
+    HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,