alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;)
if unsafe { ALPROTO_DOH2 } != ALPROTO_UNKNOWN {
// we store DNS response, and process it when complete
if let Some(doh) = &mut self.doh {
- if doh.is_doh_data[dir.index()] && doh.data_buf[dir.index()].len() < 0xFFFF {
- // a DNS message is U16_MAX
- doh.data_buf[dir.index()].extend_from_slice(decompressed);
+ if doh.is_doh_data[dir.index()] {
+ if doh.data_buf[dir.index()].len() + decompressed.len() <= 0xFFFF {
+ // a DNS message is U16_MAX
+ doh.data_buf[dir.index()].extend_from_slice(decompressed);
+ } else {
+ // stop processing further data
+ doh.is_doh_data[dir.index()] = false;
+ if dir == Direction::ToClient {
+ self.set_event(HTTP2Event::DnsResponseTooLong);
+ } else {
+ self.set_event(HTTP2Event::DnsRequestTooLong);
+ }
+ }
}
}
}
AuthorityHostMismatch,
UserinfoInUri,
ReassemblyLimitReached,
+ DnsRequestTooLong,
+ DnsResponseTooLong,
}
pub struct HTTP2DynTable {