http: event on chunk extension

author Philippe Antoine <pantoine@oisf.net>

Mon, 12 Jun 2023 20:28:16 +0000 (22:28 +0200)

committer Philippe Antoine <pantoine@oisf.net>

Tue, 20 Jun 2023 09:51:48 +0000 (11:51 +0200)
author Philippe Antoine <pantoine@oisf.net>
Mon, 12 Jun 2023 20:28:16 +0000 (22:28 +0200)
committer Philippe Antoine <pantoine@oisf.net>
Tue, 20 Jun 2023 09:51:48 +0000 (11:51 +0200)
diff --git a/rules/http-events.rules b/rules/http-events.rules

index 6376c807fcfffa85d351aab8f5d0e7e17e14ae2e..8c7763f1b661d49e7843564bdde5d90ce5ed808c 100644 (file)
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -89,4 +89,6 @@ alert http any any -> any any (msg:"SURICATA HTTP file name too long"; flow:esta
  
  alert http any any -> any any (msg:"SURICATA HTTP failed protocol change"; flow:established; app-layer-event:http.failed_protocol_change; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221053; rev:1;)
  
-# next sid 2221054
+#alert http any any -> any any (msg:"SURICATA HTTP request chunk extension"; flow:established; app-layer-event:http.request_chunk_extension; classtype:protocol-command-decode; sid:2221054; rev:1;)
+
+# next sid 2221055
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c

index b2c915d9342d610fe302b041359c934cb7f726a1..f3e0ad2e81ff83602efd88349b7c8acf279c2933 100644 (file)
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -166,6 +166,7 @@ SCEnumCharMap http_decoder_event_table[] = {
      { "COMPRESSION_BOMB", HTTP_DECODER_EVENT_COMPRESSION_BOMB },
  
      { "RANGE_INVALID", HTTP_DECODER_EVENT_RANGE_INVALID },
+    { "REQUEST_CHUNK_EXTENSION", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
  
      /* suricata warnings/errors */
      { "MULTIPART_GENERIC_ERROR", HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR },
@@ -598,37 +599,47 @@ struct {
      const char *msg;
      uint8_t de;
  } htp_warnings[] = {
-    { "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED},
-    { "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
-    { "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
-    { "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
-    { "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
-/*  { "Host information in request headers required by HTTP/1.1", HTTP_DECODER_EVENT_MISSING_HOST_HEADER}, <- tx flag HTP_HOST_MISSING
-    { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, <- tx flag HTP_HOST_AMBIGUOUS */
-    { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING},
-    { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING},
-    /* line is now: htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request server port=%d number differs from the actual TCP port=%d", port, connp->conn->server_port);
-     * luckily, "Request server port=" is unique */
-/*    { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
-    { "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
-    { "Request line: URI contains non-compliant delimiter", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
-    { "Request line: non-compliant delimiter between Method and URI", HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT},
-    { "Request line: leading whitespace", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE},
-    { "Too many response content encoding layers", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS},
-    { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
-    { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
-    { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
-    { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION},
-    { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION},
-    { "Transfer-encoding has abnormal chunked value", HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING},
-    { "Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0", HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO},
-    { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL},
-    { "Invalid response line: invalid response status", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS},
-    { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
-    { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED},
-    { "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED},
-    { "Ambiguous request C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST},
-    { "Ambiguous response C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE},
+    { "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED },
+    { "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID },
+    { "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID },
+    { "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID },
+    { "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID },
+    /*  { "Host information in request headers required by HTTP/1.1",
+       HTTP_DECODER_EVENT_MISSING_HOST_HEADER}, <- tx flag HTP_HOST_MISSING { "Host information
+       ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, <- tx flag HTP_HOST_AMBIGUOUS */
+    { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING },
+    { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING },
+    /* line is now: htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request server port=%d number
+     * differs from the actual TCP port=%d", port, connp->conn->server_port); luckily, "Request
+     * server port=" is unique */
+    /*    { "Request server port number differs from the actual TCP port",
+       HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
+    { "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH },
+    { "Request line: URI contains non-compliant delimiter",
+            HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT },
+    { "Request line: non-compliant delimiter between Method and URI",
+            HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT },
+    { "Request line: leading whitespace", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE },
+    { "Too many response content encoding layers", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS },
+    { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
+    { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
+    { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
+    { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION },
+    { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION },
+    { "Transfer-encoding has abnormal chunked value",
+            HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING },
+    { "Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0",
+            HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO },
+    { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL },
+    { "Invalid response line: invalid response status",
+            HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS },
+    { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE },
+    { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED },
+    { "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED },
+    { "Ambiguous request C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST },
+    { "Ambiguous response C-L value",
+            HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
+    { "Request chunk extension", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
  };
  
  #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h

index 5adda7343ecc67a5c0e49e813b398babaf67ce05..c8c3a7f7b9873d68800a8428abd2838fc15ed262 100644 (file)
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -127,6 +127,7 @@ enum {
      HTTP_DECODER_EVENT_COMPRESSION_BOMB,
  
      HTTP_DECODER_EVENT_RANGE_INVALID,
+    HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION,
  
      /* suricata errors/warnings */
      HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,
author	Philippe Antoine <pantoine@oisf.net>
	Mon, 12 Jun 2023 20:28:16 +0000 (22:28 +0200)
committer	Philippe Antoine <pantoine@oisf.net>
	Tue, 20 Jun 2023 09:51:48 +0000 (11:51 +0200)
rules/http-events.rules		patch \| blob \| blame \| history
src/app-layer-htp.c		patch \| blob \| blame \| history
src/app-layer-htp.h		patch \| blob \| blame \| history