From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 14 May 2019 07:33:29 +0000 (+0200)
Subject: http: adds events for each libhtp log
X-Git-Tag: suricata-5.0.0-rc1~479
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e120668194ca7c139688754d1776eb0b2a198e0;p=thirdparty%2Fsuricata.git

http: adds events for each libhtp log

Fixes #997
---

diff --git a/rules/http-events.rules b/rules/http-events.rules
index c3ce564634..165979f026 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -57,5 +57,17 @@ alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authoriza
 alert http any any -> any any (msg:"SURICATA HTTP Request excessive header repetition"; flow:established,to_server; app-layer-event:http.request_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221035; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP Response excessive header repetition"; flow:established,to_client; app-layer-event:http.response_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221036; rev:1;)
 
-# next sid 2221037
+# This is a suricata limitation rather than anomaly traffic
+# alert http any any -> any any (msg:"SURICATA HTTP Response multipart/byteranges"; flow:established,to_client; app-layer-event:http.response_multipart_byteranges; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221037; rev:1;)
+
+alert http any any -> any any (msg:"SURICATA HTTP Response abnormal chunked for transfer-encoding"; flow:established,to_client; app-layer-event:http.response_abnormal_transfer_encoding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221038; rev:1;)
+
+alert http any any -> any any (msg:"SURICATA HTTP Response chunked with HTTP 0.9 or 1.0"; flow:established,to_client; app-layer-event:http.response_chunked_old_proto; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221039; rev:1;)
+
+alert http any any -> any any (msg:"SURICATA HTTP Response invalid protocol"; flow:established,to_client; app-layer-event:http.response_invalid_protocol; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221040; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP Response invalid status"; flow:established,to_client; app-layer-event:http.response_invalid_status; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221041; rev:1;)
+
+alert http any any -> any any (msg:"SURICATA HTTP Request line incomplete"; flow:established,to_server; app-layer-event:http.request_line_incomplete; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221042; rev:1;)
+
+# next sid 2221043
 
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 67138bb406..6caca69cb1 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -160,6 +160,18 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS},
     { "ABNORMAL_CE_HEADER",
         HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
+    { "RESPONSE_MULTIPART_BYTERANGES",
+        HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES},
+    { "RESPONSE_ABNORMAL_TRANSFER_ENCODING",
+        HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING},
+    { "RESPONSE_CHUNKED_OLD_PROTO",
+        HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO},
+    { "RESPONSE_INVALID_PROTOCOL",
+        HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL},
+    { "RESPONSE_INVALID_STATUS",
+        HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS},
+    { "REQUEST_LINE_INCOMPLETE",
+        HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
 
     /* suricata warnings/errors */
     { "MULTIPART_GENERIC_ERROR",
@@ -491,6 +503,7 @@ struct {
 /*    { "Invalid authority port", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT}, htp no longer returns this error */
     { "Request buffer over", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG},
     { "Response buffer over", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
+    { "C-T multipart/byteranges in responses not supported", HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES},
 };
 
 struct {
@@ -519,6 +532,11 @@ struct {
     { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
     { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION},
     { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION},
+    { "Transfer-encoding has abnormal chunked value", HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING},
+    { "Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0", HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO},
+    { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL},
+    { "Invalid response line: invalid response status", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS},
+    { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
 };
 
 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index cf78a96224..c5e798103e 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -109,6 +109,12 @@ enum {
     HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED,
     HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION,
     HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION,
+    HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES,
+    HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING,
+    HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO,
+    HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL,
+    HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS,
+    HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,