From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Tue, 24 Aug 2021 18:01:50 +0000 (+0000)
Subject: Merge pull request #3026 in SNORT/snort3 from ~KATHARVE/snort3:perf_builtin to master
X-Git-Tag: 3.1.11.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a05cc89c8f003f4f27ec993664ff4f2107add77;p=thirdparty%2Fsnort3.git

Merge pull request #3026 in SNORT/snort3 from ~KATHARVE/snort3:perf_builtin to master

Squashed commit of the following:

commit e50bf65a7c4c0ad53abe230fec94e7f053afb9d9
Author: Katura Harvey <katharve@cisco.com>
Date:   Fri Aug 13 12:18:53 2021 -0400

    http_inspect: add builtin rule for consecutive commas in accept-encoding header
---

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index f1c5ff03d..5599b6152 100755
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -275,6 +275,7 @@ enum Infraction
     INF_JS_TMPL_NEST_OVFLOW,
     INF_CHUNK_OVER_MAXIMUM,
     INF_LONG_HOST_VALUE,
+    INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS,
     INF__MAX_VALUE
 };
 
@@ -405,6 +406,7 @@ enum EventSid
     EVENT_JS_SHORTENED_TAG = 269,
     EVENT_JS_IDENTIFIER_OVERFLOW = 270,
     EVENT_JS_TMPL_NEST_OVFLOW = 271,
+    EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 272,
     EVENT__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index 4a808e0bb..58100ecf0 100755
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -198,6 +198,14 @@ void HttpMsgHeader::gen_events()
         }
         while (consumed != -1);
     }
+
+    // Check for an empty value in Accept-Encoding (two consecutive commas)
+    if (has_consecutive_commas(get_header_value_norm(HEAD_ACCEPT_ENCODING)))
+    {
+        add_infraction(INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS);
+        create_event(EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS);
+    }
+
 }
 
 void HttpMsgHeader::update_flow()
diff --git a/src/service_inspectors/http_inspect/http_normalizers.cc b/src/service_inspectors/http_inspect/http_normalizers.cc
index cb19e9c64..8d10a577b 100644
--- a/src/service_inspectors/http_inspect/http_normalizers.cc
+++ b/src/service_inspectors/http_inspect/http_normalizers.cc
@@ -104,3 +104,13 @@ void get_last_token(const Field& input, Field& last_token, char ichar)
     last_start++;
     last_token.set(input.length() - (last_start - input.start()), last_start);
 }
+
+bool has_consecutive_commas(const Field& input)
+{
+    for (int32_t k = 0; k + 1 < input.length(); k++)
+    {
+        if ((input.start()[k] == ',') && (input.start()[k+1] == ','))
+            return true;
+    }
+    return false;
+}
diff --git a/src/service_inspectors/http_inspect/http_normalizers.h b/src/service_inspectors/http_inspect/http_normalizers.h
index 5f8071d05..2c13f6499 100644
--- a/src/service_inspectors/http_inspect/http_normalizers.h
+++ b/src/service_inspectors/http_inspect/http_normalizers.h
@@ -38,6 +38,7 @@ NormFunc norm_remove_quotes_lws;
 // Other normalization-related utilities
 void get_last_token(const Field& input, Field& last_token, char ichar);
 int64_t norm_decimal_integer(const Field& input);
+bool has_consecutive_commas(const Field& input);
 
 #endif
 
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 2107baaf5..cc7e28d8b 100755
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -315,6 +315,8 @@ const RuleMap HttpModule::http_events[] =
     { EVENT_JS_SHORTENED_TAG,           "script opening tag in a short form" },
     { EVENT_JS_IDENTIFIER_OVERFLOW,     "max number of unique JavaScript identifiers reached" },
     { EVENT_JS_TMPL_NEST_OVFLOW,        "JavaScript template literal nesting is over capacity" },
+    { EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding "
+                                        "header" },
     { 0, nullptr }
 };