Pull request #4401: http_inspect: add peg counts for gzip, known-not-supported, and...

Merge in SNORT/snort3 from ~JAIMEACA/snort3:US-750344-compression_pegs to master

Squashed commit of the following:

commit a02f4c8ea7dca6fca4fcc1495a0dc4bfdf642406
Author: Jaime Andres Castillo Leon -X (jaimeaca - SOFTSERVE INC at Cisco) <jaimeaca@cisco.com>
Date:   Mon Jul 29 10:30:20 2024 -0400

    http_inspect: add peg counts for gzip, known-not-supported, and unknown

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index b9d3d85da10d45decec0b1036b6ef41298e5b366..4c5be4a888b759b4dad9688524cce179c71e8d1c 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -68,7 +68,8 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES
     PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, PEG_SCRIPT_DETECTION,
     PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY,
     PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_TOTAL_BYTES, PEG_JS_INLINE, PEG_JS_EXTERNAL,
-    PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COUNT_MAX };
+    PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COMPRESSED_GZIP, PEG_COMPRESSED_NOT_SUPPORTED,
+    PEG_COMPRESSED_UNKNOWN, PEG_COUNT_MAX};
 
 // Result of scanning by splitter
 enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE,

diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index 40e0028c9abac064da1cde03987baddff3fa169c..648a8b355d5714ea29027cba427cc0d531f3e01d 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -609,6 +609,7 @@ void HttpMsgHeader::setup_encoding_decompression()
         {
         case CONTENTCODE_GZIP:
         case CONTENTCODE_X_GZIP:
+            HttpModule::increment_peg_counts(PEG_COMPRESSED_GZIP);
             compression = CMP_GZIP;
             break;
         case CONTENTCODE_DEFLATE:
@@ -622,11 +623,13 @@ void HttpMsgHeader::setup_encoding_decompression()
             break;
         case CONTENTCODE__OTHER:
             // The ones we never heard of
+            HttpModule::increment_peg_counts(PEG_COMPRESSED_UNKNOWN);
             add_infraction(INF_UNKNOWN_ENCODING);
             create_event(EVENT_UNKNOWN_ENCODING);
             break;
         default:
             // The ones we know by name but don't support
+            HttpModule::increment_peg_counts(PEG_COMPRESSED_NOT_SUPPORTED);
             add_infraction(INF_UNSUPPORTED_ENCODING);
             create_event(EVENT_UNSUPPORTED_ENCODING);
             break;

diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index f49a83955fc8d418b5dcea628326b4fd707f6bb3..5cc31714d98ff9e1edc730ce20b7e83412f74f61 100755 (executable)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -389,6 +389,9 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
     { CountType::SUM, "js_external_scripts", "total number of external JavaScripts processed" },
     { CountType::SUM, "js_pdf_scripts", "total number of PDF files processed" },
     { CountType::SUM, "skip_mime_attach", "total number of HTTP requests with too many MIME attachments to inspect" },
+    { CountType::SUM, "compressed_gzip", "total number of HTTP bodies compressed with GZIP" },
+    { CountType::SUM, "compressed_not_supported", "total number of HTTP bodies compressed with known but not supported methods" },
+    { CountType::SUM, "compressed_unknown", "total number of HTTP bodies compressed with unknown methods" },
     { CountType::END, nullptr, nullptr }
 };