Merge in SNORT/snort3 from ~ADMAMOLE/snort3:alert_long_no_data_frame to master
Squashed commit of the following:
commit
59b023f3586ae55d751a4d282f572f3276fa0cdc
Author: Adrian Mamolea <admamole@cisco.com>
Date: Fri May 20 17:13:11 2022 -0400
http2_inspect: add alert and infraction for non-Data frame too long
Nonempty HTTP/2 Data frame where a message body was not expected.
+121:38
+
+HTTP/2 non-Data frame longer than 63780 bytes
+
122:1
Basic one host to one host TCP portscan where multiple TCP ports are scanned on
EVENT_MORE_THAN_2_TABLE_SIZE_UPDATES = 35,
EVENT_HPACK_TABLE_SIZE_UPDATE_EXCEEDS_MAX = 36,
EVENT_UNEXPECTED_DATA_FRAME = 37,
+ EVENT_NON_DATA_FRAME_TOO_LONG = 38,
EVENT__MAX_VALUE
};
INF_INVALID_WINDOW_UPDATE_FRAME = 46,
INF_WINDOW_UPDATE_FRAME_ZERO_INCREMENT = 47,
INF_UNEXPECTED_DATA_FRAME = 48,
+ INF_NON_DATA_FRAME_TOO_LONG = 49,
INF__MAX_VALUE
};
if ((type != FT_DATA) && (frame_length + FRAME_HEADER_LENGTH > MAX_OCTETS))
{
// FIXIT-E long non-data frames may need to be supported
- // FIXIT-E need an alert and infraction
+ *session_data->infractions[source_id] += INF_NON_DATA_FRAME_TOO_LONG;
+ session_data->events[source_id]->create_event(EVENT_NON_DATA_FRAME_TOO_LONG);
return StreamSplitter::ABORT;
}
{ EVENT_HPACK_TABLE_SIZE_UPDATE_EXCEEDS_MAX,
"HTTP/2 HPACK table size update exceeds max value set by decoder in SETTINGS frame" },
{ EVENT_UNEXPECTED_DATA_FRAME, "Nonempty HTTP/2 Data frame where message body not expected" },
+ { EVENT_NON_DATA_FRAME_TOO_LONG, "HTTP/2 non-Data frame longer than 63780 bytes" },
{ 0, nullptr }
};
projects / thirdparty / snort3.git / commitdiff
