Consecutive commas in HTTP Accept-Encoding header
+119:273
+
+This alert is raised for the following situation. During JavaScript normalization middle
+PDUs can be missed and not normalized. Usually it happens when rules have file_data and
+js_data ips options and fast-pattern (FP) search is applying to file_data. Some PDUs don’t
+match file_data FP search and JavaScript normalization won't be executed for these PDUs.
+The normalization of the following PDUs for inline/external scripts will be stopped for
+current request within the flow.
+
121:1
invalid flag set on HTTP/2 frame
INF_CHUNK_OVER_MAXIMUM = 128,
INF_LONG_HOST_VALUE = 129,
INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 130,
+ INF_JS_PDU_MISS = 131,
INF__MAX_VALUE
};
EVENT_JS_IDENTIFIER_OVERFLOW = 270,
EVENT_JS_SCOPE_NEST_OVFLOW = 271,
EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 272,
+ EVENT_JS_PDU_MISS = 273,
EVENT__MAX_VALUE
};
}
#ifndef UNIT_TEST_BUILD
+void HttpFlowData::reset_js_pdu_idx()
+{
+ js_pdu_idx = pdu_idx = 0;
+ js_data_lost_once = false;
+}
+
void HttpFlowData::reset_js_ident_ctx()
{
if (js_ident_ctx)
return *js_normalizer;
}
+bool HttpFlowData::is_pdu_missed()
+{
+ bool pdu_missed = ((pdu_idx - js_pdu_idx) > 1);
+ js_pdu_idx = pdu_idx;
+ return pdu_missed;
+}
+
void HttpFlowData::release_js_ctx()
{
js_continue = false;
HttpTransaction** pipeline = nullptr;
int16_t pipeline_front = 0;
int16_t pipeline_back = 0;
+ uint32_t pdu_idx = 0;
+ uint32_t js_pdu_idx = 0;
+ bool js_data_lost_once = false;
bool pipeline_overflow = false;
bool pipeline_underflow = false;
bool js_continue = false;
bool js_built_in_event = false;
+ void reset_js_pdu_idx();
void reset_js_ident_ctx();
snort::JSNormalizer& acquire_js_ctx(int32_t ident_depth, size_t norm_depth,
uint8_t max_template_nesting, uint32_t max_scope_depth,
const std::unordered_set<std::string>& built_in_ident);
void release_js_ctx();
+ bool is_pdu_missed();
bool cutover_on_clear = false;
bool ssl_search_abandoned = false;
else
do_legacy_js_normalization(decompressed_file_body, js_norm_body);
+ ++session_data->pdu_idx;
+
const int32_t detect_length =
(js_norm_body.length() <= session_data->detect_depth_remaining[source_id]) ?
js_norm_body.length() : session_data->detect_depth_remaining[source_id];
void HttpMsgBody::do_enhanced_js_normalization(const Field& input, Field& output)
{
+ if (session_data->js_data_lost_once)
+ return;
+
+ auto infractions = transaction->get_infractions(source_id);
auto back = !session_data->partial_flush[source_id];
auto http_header = get_header(source_id);
auto normalizer = params->js_norm_param.js_norm;
- auto infractions = transaction->get_infractions(source_id);
+
+ if (session_data->is_pdu_missed())
+ {
+ *infractions += INF_JS_PDU_MISS;
+ session_data->events[HttpCommon::SRC_SERVER]->create_event(EVENT_JS_PDU_MISS);
+
+ session_data->js_data_lost_once = true;
+ return;
+ }
if (http_header and http_header->is_external_js())
normalizer->do_external(input, output, infractions, session_data, back);
get_related_sections();
session_data->release_js_ctx();
session_data->reset_js_ident_ctx();
+ session_data->reset_js_pdu_idx();
}
HttpMsgRequest::~HttpMsgRequest()
{ EVENT_JS_SCOPE_NEST_OVFLOW, "JavaScript scope nesting is over capacity" },
{ EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding "
"header" },
+ { EVENT_JS_PDU_MISS, "missed PDUs during JavaScript normalization" },
{ 0, nullptr }
};
projects / thirdparty / snort3.git / commitdiff
