Merge in SNORT/snort3 from ~OSERHIIE/snort3:js_revert_alerts to master
Squashed commit of the following:
commit
775c6d1df3daf505c2ea338af2942d607661665b
Author: Oleksandr Serhiienko <oserhiie@cisco.com>
Date: Wed Mar 23 23:09:13 2022 +0200
http_inspect: delete alerts 119:279 and 119:280
* http_inspect: delete 119:279 and 119:280 alerts, use 119:109 and 119:111 instead
* doc: update builtin_stubs
119:109
More than one level of JavaScript obfuscation. This alert can only be generated when
-normalize_javascript configuration option is true.
+normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.
119:110
119:111
More than one encoding within JavaScript obfuscated data. This alert can only be generated when
-normalize_javascript configuration option is true.
+normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.
119:112
The HTTP message body is gzip encoded and the FEXTRA flag is set in the gzip header.
-119:279
-
-Detected nesting of unescape functions(unescape, decodeURI, decodeURIComponent) in JavaScript code.
-Indicates that this code most likely has more than one level of obfuscation. This alert is raised
-by the enhanced JavaScript normalizer.
-
-119:280
-
-Detected more than one encoding within unescape function call arguments in JavaScript code.
-This alert is raised by the enhanced JavaScript normalizer.
-
121:1
Invalid flag set on HTTP/2 frame header
INF_INVALID_SUBVERSION = 133,
INF_VERSION_0 = 134,
INF_GZIP_FEXTRA = 135,
- INF_JS_UNESCAPE_NEST = 136,
- INF_JS_MULTIPLE_ENC = 137,
INF__MAX_VALUE
};
EVENT_VERSION_0 = 276,
EVENT_VERSION_HIGHER_THAN_1 = 277,
EVENT_GZIP_FEXTRA = 278,
- EVENT_JS_UNESCAPE_NEST = 279,
- EVENT_JS_MULTIPLE_ENC = 280,
EVENT__MAX_VALUE
};
if (js_ctx.is_unescape_nesting_seen())
{
- *infractions += INF_JS_UNESCAPE_NEST;
- events->create_event(EVENT_JS_UNESCAPE_NEST);
+ *infractions += INF_JS_OBFUSCATION_EXCD;
+ events->create_event(EVENT_JS_OBFUSCATION_EXCD);
}
if (js_ctx.is_mixed_encoding_seen())
{
- *infractions += INF_JS_MULTIPLE_ENC;
- events->create_event(EVENT_JS_MULTIPLE_ENC);
+ *infractions += INF_MIXED_ENCODINGS;
+ events->create_event(EVENT_MIXED_ENCODINGS);
}
if (ssn->js_built_in_event)
}
if (js_ctx.is_unescape_nesting_seen())
{
- *infractions += INF_JS_UNESCAPE_NEST;
- events->create_event(EVENT_JS_UNESCAPE_NEST);
+ *infractions += INF_JS_OBFUSCATION_EXCD;
+ events->create_event(EVENT_JS_OBFUSCATION_EXCD);
}
if (js_ctx.is_mixed_encoding_seen())
{
- *infractions += INF_JS_MULTIPLE_ENC;
- events->create_event(EVENT_JS_MULTIPLE_ENC);
+ *infractions += INF_MIXED_ENCODINGS;
+ events->create_event(EVENT_MIXED_ENCODINGS);
}
script_continue = ret == JSTokenizer::SCRIPT_CONTINUE;
{ EVENT_VERSION_0, "HTTP version in start line is 0" },
{ EVENT_VERSION_HIGHER_THAN_1, "HTTP version in start line is higher than 1" },
{ EVENT_GZIP_FEXTRA, "HTTP gzip body with the FEXTRA flag set" },
- { EVENT_JS_UNESCAPE_NEST, "nested unescape functions in JavaScript code" },
- { EVENT_JS_MULTIPLE_ENC, "mixing of escape formats in JavaScript code" },
{ 0, nullptr }
};
projects / thirdparty / snort3.git / commitdiff
