From: Mike Stepanek (mstepane) Date: Thu, 4 Feb 2021 19:24:28 +0000 (+0000) Subject: Merge pull request #2732 in SNORT/snort3 from ~THOPETER/snort3:nhttp153 to master X-Git-Tag: 3.1.2.0~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=525e0ac3a404e6d76af2e7c4ded8fb424798fe01;p=thirdparty%2Fsnort3.git Merge pull request #2732 in SNORT/snort3 from ~THOPETER/snort3:nhttp153 to master Squashed commit of the following: commit 3f388128feedc0ece93e4312f48feafb69a1cb4d Author: Tom Peters Date: Fri Jan 29 17:11:40 2021 -0500 http_inspect: remove unused events --- diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index da5a35830..f67531bcd 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -247,6 +247,7 @@ enum Infraction INF_TRUNCATED_MSG_BODY_CL, INF_TRUNCATED_MSG_BODY_CHUNK, INF_LONG_SCHEME, + INF_MULTIPLE_HOST_HDRS, INF__MAX_VALUE }; @@ -264,120 +265,120 @@ enum EventSid { EVENT__NONE = -1, EVENT_ASCII = 1, - EVENT_DOUBLE_DECODE, - EVENT_U_ENCODE, - EVENT_BARE_BYTE, - EVENT_OBSOLETE_BASE_36, // Previously used, do not reuse this number - EVENT_UTF_8, - EVENT_CODE_POINT_IN_URI, - EVENT_MULTI_SLASH, - EVENT_BACKSLASH_IN_URI, - EVENT_SELF_DIR_TRAV, // 10 - EVENT_DIR_TRAV, - EVENT_APACHE_WS, - EVENT_LF_WITHOUT_CR, - EVENT_NON_RFC_CHAR, - EVENT_OVERSIZE_DIR, - EVENT_LARGE_CHUNK, - EVENT_PROXY_USE, - EVENT_WEBROOT_DIR, - EVENT_LONG_HDR, - EVENT_MAX_HEADERS, // 20 - EVENT_MULTIPLE_CONTLEN, - EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, // Previously used, do not reuse this number - EVENT_INVALID_TRUEIP, - EVENT_MULTIPLE_HOST_HDRS, - EVENT_LONG_HOSTNAME, - EVENT_EXCEEDS_SPACES, - EVENT_CONSECUTIVE_SMALL_CHUNKS, - EVENT_UNBOUNDED_POST, - EVENT_MULTIPLE_TRUEIP_IN_SESSION, - EVENT_BOTH_TRUEIP_XFF_HDRS, // 30 - EVENT_UNKNOWN_METHOD, - EVENT_SIMPLE_REQUEST, - EVENT_UNESCAPED_SPACE_URI, - EVENT_PIPELINE_MAX, + EVENT_DOUBLE_DECODE = 2, + EVENT_U_ENCODE = 3, + EVENT_BARE_BYTE = 4, + // EVENT_OBSOLETE_BASE_36 = 5, // Previously used, do not reuse this number + EVENT_UTF_8 = 6, + EVENT_CODE_POINT_IN_URI = 7, + EVENT_MULTI_SLASH = 8, + EVENT_BACKSLASH_IN_URI = 9, + EVENT_SELF_DIR_TRAV = 10, + EVENT_DIR_TRAV = 11, + EVENT_APACHE_WS = 12, + EVENT_LF_WITHOUT_CR = 13, + EVENT_NON_RFC_CHAR = 14, + EVENT_OVERSIZE_DIR = 15, + // EVENT_LARGE_CHUNK = 16, + // EVENT_PROXY_USE = 17, + EVENT_WEBROOT_DIR = 18, + EVENT_LONG_HDR = 19, + EVENT_MAX_HEADERS = 20, + EVENT_MULTIPLE_CONTLEN = 21, + // EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH = 22, // Previously used, do not reuse this number + // EVENT_INVALID_TRUEIP = 23, + EVENT_MULTIPLE_HOST_HDRS = 24, + // EVENT_LONG_HOSTNAME = 25, + // EVENT_EXCEEDS_SPACES = 26, + // EVENT_CONSECUTIVE_SMALL_CHUNKS = 27, + EVENT_UNBOUNDED_POST = 28, + // EVENT_MULTIPLE_TRUEIP_IN_SESSION = 29, + // EVENT_BOTH_TRUEIP_XFF_HDRS = 30, + EVENT_UNKNOWN_METHOD = 31, + EVENT_SIMPLE_REQUEST = 32, + EVENT_UNESCAPED_SPACE_URI = 33, + EVENT_PIPELINE_MAX = 34, - EVENT_OBSOLETE_ANOM_SERVER = 101, // Previously used, do not reuse this number - EVENT_INVALID_STATCODE, - EVENT_UNUSED_1, - EVENT_UTF_NORM_FAIL, - EVENT_UTF7, - EVENT_DECOMPR_FAILED, - EVENT_CONSECUTIVE_SMALL_CHUNKS_S, - EVENT_UNUSED_2, - EVENT_JS_OBFUSCATION_EXCD, - EVENT_JS_EXCESS_WS, // 110 - EVENT_MIXED_ENCODINGS, - EVENT_SWF_ZLIB_FAILURE, - EVENT_SWF_LZMA_FAILURE, - EVENT_PDF_DEFL_FAILURE, - EVENT_PDF_UNSUP_COMP_TYPE, - EVENT_PDF_CASC_COMP, - EVENT_PDF_PARSE_FAILURE, // 117 + // EVENT_OBSOLETE_ANOM_SERVER = 101, // Previously used, do not reuse this number + EVENT_INVALID_STATCODE = 102, + // EVENT_UNUSED_1 = 103, + EVENT_UTF_NORM_FAIL = 104, + EVENT_UTF7 = 105, + // EVENT_DECOMPR_FAILED = 106, + // EVENT_CONSECUTIVE_SMALL_CHUNKS_S = 107, + // EVENT_UNUSED_2 = 108, + EVENT_JS_OBFUSCATION_EXCD = 109, + EVENT_JS_EXCESS_WS = 110, + EVENT_MIXED_ENCODINGS = 111, + EVENT_SWF_ZLIB_FAILURE = 112, + EVENT_SWF_LZMA_FAILURE = 113, + EVENT_PDF_DEFL_FAILURE = 114, + EVENT_PDF_UNSUP_COMP_TYPE = 115, + EVENT_PDF_CASC_COMP = 116, + EVENT_PDF_PARSE_FAILURE = 117, EVENT_LOSS_OF_SYNC = 201, - EVENT_CHUNK_ZEROS, - EVENT_WS_BETWEEN_MSGS, - EVENT_URI_MISSING, - EVENT_CTRL_IN_REASON, - EVENT_IMPROPER_WS, - EVENT_BAD_VERS, - EVENT_UNKNOWN_VERS, - EVENT_BAD_HEADER, - EVENT_CHUNK_OPTIONS, // 210 - EVENT_URI_BAD_FORMAT, - EVENT_UNKNOWN_PERCENT, - EVENT_BROKEN_CHUNK, - EVENT_CHUNK_WHITESPACE, - EVENT_HEAD_NAME_WHITESPACE, - EVENT_GZIP_OVERRUN, - EVENT_GZIP_FAILURE, - EVENT_ZERO_NINE_CONTINUE, - EVENT_ZERO_NINE_NOT_FIRST, - EVENT_BOTH_CL_AND_TE, // 220 - EVENT_BAD_CODE_BODY_HEADER, - EVENT_BAD_TE_HEADER, - EVENT_PADDED_TE_HEADER, - EVENT_MISFORMATTED_HTTP, - EVENT_UNSUPPORTED_ENCODING, - EVENT_UNKNOWN_ENCODING, - EVENT_STACKED_ENCODINGS, - EVENT_RESPONSE_WO_REQUEST, - EVENT_FILE_DECOMPR_OVERRUN, - EVENT_BAD_CHAR_IN_HEADER_NAME, // 230 - EVENT_BAD_CONTENT_LENGTH, - EVENT_HEADER_WRAPPING, - EVENT_CR_WITHOUT_LF, - EVENT_CHUNK_BAD_SEP, - EVENT_CHUNK_BARE_LF, - EVENT_MULTIPLE_100_RESPONSES, - EVENT_UNEXPECTED_100_RESPONSE, - EVENT_UNKNOWN_1XX_STATUS, - EVENT_EXPECT_WITHOUT_BODY, - EVENT_CHUNKED_ONE_POINT_ZERO, // 240 - EVENT_CTE_HEADER, - EVENT_ILLEGAL_TRAILER, - EVENT_REPEATED_HEADER, - EVENT_CONTENT_ENCODING_CHUNKED, - EVENT_206_WITHOUT_RANGE, - EVENT_VERSION_NOT_UPPERCASE, - EVENT_BAD_HEADER_WHITESPACE, - EVENT_GZIP_EARLY_END, - EVENT_EXCESS_REPEAT_PARAMS, - EVENT_H2_NON_IDENTITY_TE, // 250 - EVENT_H2_DATA_OVERRUNS_CL, - EVENT_H2_DATA_UNDERRUNS_CL, - EVENT_CONNECT_REQUEST_BODY, - EVENT_EARLY_C2S_TRAFFIC_AFTER_CONNECT, - EVENT_200_CONNECT_RESP_WITH_CL, - EVENT_200_CONNECT_RESP_WITH_TE, - EVENT_100_CONNECT_RESP, - EVENT_EARLY_CONNECT_RESPONSE, - EVENT_MALFORMED_CD_FILENAME, - EVENT_TRUNCATED_MSG_BODY_CL, // 260 - EVENT_TRUNCATED_MSG_BODY_CHUNK, - EVENT_LONG_SCHEME, // 262 + EVENT_CHUNK_ZEROS = 202, + EVENT_WS_BETWEEN_MSGS = 203, + EVENT_URI_MISSING = 204, + EVENT_CTRL_IN_REASON = 205, + EVENT_IMPROPER_WS = 206, + EVENT_BAD_VERS = 207, + EVENT_UNKNOWN_VERS = 208, + EVENT_BAD_HEADER = 209, + EVENT_CHUNK_OPTIONS = 210, + EVENT_URI_BAD_FORMAT = 211, + EVENT_UNKNOWN_PERCENT = 212, + EVENT_BROKEN_CHUNK = 213, + EVENT_CHUNK_WHITESPACE = 214, + EVENT_HEAD_NAME_WHITESPACE = 215, + EVENT_GZIP_OVERRUN = 216, + EVENT_GZIP_FAILURE = 217, + EVENT_ZERO_NINE_CONTINUE = 218, + EVENT_ZERO_NINE_NOT_FIRST = 219, + EVENT_BOTH_CL_AND_TE = 220, + EVENT_BAD_CODE_BODY_HEADER = 221, + EVENT_BAD_TE_HEADER = 222, + EVENT_PADDED_TE_HEADER = 223, + EVENT_MISFORMATTED_HTTP = 224, + EVENT_UNSUPPORTED_ENCODING = 225, + EVENT_UNKNOWN_ENCODING = 226, + EVENT_STACKED_ENCODINGS = 227, + EVENT_RESPONSE_WO_REQUEST = 228, + EVENT_FILE_DECOMPR_OVERRUN = 229, + EVENT_BAD_CHAR_IN_HEADER_NAME = 230, + EVENT_BAD_CONTENT_LENGTH = 231, + EVENT_HEADER_WRAPPING = 232, + EVENT_CR_WITHOUT_LF = 233, + EVENT_CHUNK_BAD_SEP = 234, + EVENT_CHUNK_BARE_LF = 235, + EVENT_MULTIPLE_100_RESPONSES = 236, + EVENT_UNEXPECTED_100_RESPONSE = 237, + EVENT_UNKNOWN_1XX_STATUS = 238, + EVENT_EXPECT_WITHOUT_BODY = 239, + EVENT_CHUNKED_ONE_POINT_ZERO = 240, + EVENT_CTE_HEADER = 241, + EVENT_ILLEGAL_TRAILER = 242, + EVENT_REPEATED_HEADER = 243, + EVENT_CONTENT_ENCODING_CHUNKED = 244, + EVENT_206_WITHOUT_RANGE = 245, + EVENT_VERSION_NOT_UPPERCASE = 246, + EVENT_BAD_HEADER_WHITESPACE = 247, + EVENT_GZIP_EARLY_END = 248, + EVENT_EXCESS_REPEAT_PARAMS = 249, + EVENT_H2_NON_IDENTITY_TE = 250, + EVENT_H2_DATA_OVERRUNS_CL = 251, + EVENT_H2_DATA_UNDERRUNS_CL = 252, + EVENT_CONNECT_REQUEST_BODY = 253, + EVENT_EARLY_C2S_TRAFFIC_AFTER_CONNECT = 254, + EVENT_200_CONNECT_RESP_WITH_CL = 255, + EVENT_200_CONNECT_RESP_WITH_TE = 256, + EVENT_100_CONNECT_RESP = 257, + EVENT_EARLY_CONNECT_RESPONSE = 258, + EVENT_MALFORMED_CD_FILENAME = 259, + EVENT_TRUNCATED_MSG_BODY_CL = 260, + EVENT_TRUNCATED_MSG_BODY_CHUNK = 261, + EVENT_LONG_SCHEME = 262, EVENT__MAX_VALUE }; diff --git a/src/service_inspectors/http_inspect/http_msg_head_shared.h b/src/service_inspectors/http_inspect/http_msg_head_shared.h index 8b3ba4ef6..5741dff73 100755 --- a/src/service_inspectors/http_inspect/http_msg_head_shared.h +++ b/src/service_inspectors/http_inspect/http_msg_head_shared.h @@ -77,7 +77,7 @@ private: // Header normalization strategies. There should be one defined for every different way we can // process a header field value. static const HeaderNormalizer NORMALIZER_BASIC; - static const HeaderNormalizer NORMALIZER_NO_REPEAT; + static const HeaderNormalizer NORMALIZER_HOST; static const HeaderNormalizer NORMALIZER_CASE_INSENSITIVE; static const HeaderNormalizer NORMALIZER_NUMBER; static const HeaderNormalizer NORMALIZER_TOKEN_LIST; diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index d676447f3..a14f5b96c 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -143,6 +143,11 @@ void HttpMsgHeader::gen_events() add_infraction(INF_BOTH_CL_AND_TE); create_event(EVENT_BOTH_CL_AND_TE); } + + // Force inspection of the Host field + if (source_id == SRC_CLIENT) + get_header_value_norm(HEAD_HOST); + // Content-Transfer-Encoding is a MIME header not sanctioned by HTTP. Which may not prevent // some clients from recognizing it and applying a decoding that Snort does not expect. if (get_header_count(HEAD_CONTENT_TRANSFER_ENCODING) > 0) diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 32c2c5597..86ad08e08 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -184,8 +184,8 @@ const StrCode HttpMsgHeadShared::charset_code_opt_list[] = const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_BASIC { EVENT__NONE, INF__NONE, false, nullptr, nullptr, nullptr }; -const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_NO_REPEAT - { EVENT_REPEATED_HEADER, INF_REPEATED_HEADER, false, nullptr, nullptr, nullptr }; +const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_HOST + { EVENT_MULTIPLE_HOST_HDRS, INF_MULTIPLE_HOST_HDRS, false, nullptr, nullptr, nullptr }; const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_CASE_INSENSITIVE { EVENT__NONE, INF__NONE, false, norm_to_lower, nullptr, nullptr }; @@ -237,7 +237,7 @@ const HeaderNormalizer* const HttpMsgHeadShared::header_norms[HEAD__MAX_VALUE + &NORMALIZER_BASIC, // HEAD_AUTHORIZATION &NORMALIZER_CASE_INSENSITIVE, // HEAD_EXPECT &NORMALIZER_BASIC, // HEAD_FROM - &NORMALIZER_NO_REPEAT, // HEAD_HOST + &NORMALIZER_HOST, // HEAD_HOST &NORMALIZER_BASIC, // HEAD_IF_MATCH &NORMALIZER_DATE, // HEAD_IF_MODIFIED_SINCE &NORMALIZER_BASIC, // HEAD_IF_NONE_MATCH @@ -292,7 +292,7 @@ const RuleMap HttpModule::http_events[] = { EVENT_DOUBLE_DECODE, "double decoding attack" }, { EVENT_U_ENCODE, "u encoding" }, { EVENT_BARE_BYTE, "bare byte unicode encoding" }, - { EVENT_OBSOLETE_BASE_36, "obsolete event--deleted" }, + // { EVENT_OBSOLETE_BASE_36, "obsolete event--deleted" }, { EVENT_UTF_8, "UTF-8 encoding" }, { EVENT_CODE_POINT_IN_URI, "unicode map code point encoding in URI" }, { EVENT_MULTI_SLASH, "multi_slash encoding" }, @@ -303,33 +303,34 @@ const RuleMap HttpModule::http_events[] = { EVENT_LF_WITHOUT_CR, "HTTP header line terminated by LF without a CR" }, { EVENT_NON_RFC_CHAR, "non-RFC defined char" }, { EVENT_OVERSIZE_DIR, "oversize request-uri directory" }, - { EVENT_LARGE_CHUNK, "oversize chunk encoding" }, - { EVENT_PROXY_USE, "unauthorized proxy use detected" }, + // { EVENT_LARGE_CHUNK, "oversize chunk encoding" }, + // { EVENT_PROXY_USE, "unauthorized proxy use detected" }, { EVENT_WEBROOT_DIR, "webroot directory traversal" }, { EVENT_LONG_HDR, "long header" }, { EVENT_MAX_HEADERS, "max header fields" }, { EVENT_MULTIPLE_CONTLEN, "multiple content length" }, - { EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, "obsolete event--deleted" }, - { EVENT_INVALID_TRUEIP, "invalid IP in true-client-IP/XFF header" }, - { EVENT_MULTIPLE_HOST_HDRS, "multiple host hdrs detected" }, - { EVENT_LONG_HOSTNAME, "hostname exceeds 255 characters" }, - { EVENT_EXCEEDS_SPACES, "too much whitespace in header (not implemented yet)" }, - { EVENT_CONSECUTIVE_SMALL_CHUNKS, "client consecutive small chunk sizes" }, + // { EVENT_OBSOLETE_CHUNK_SIZE_MISMATCH, "obsolete event--deleted" }, + // { EVENT_INVALID_TRUEIP, "invalid IP in true-client-IP/XFF header" }, + { EVENT_MULTIPLE_HOST_HDRS, "Host header field appears more than once or has multiple " + "values" }, + // { EVENT_LONG_HOSTNAME, "hostname exceeds 255 characters" }, + // { EVENT_EXCEEDS_SPACES, "too much whitespace in header (not implemented yet)" }, + // { EVENT_CONSECUTIVE_SMALL_CHUNKS, "client consecutive small chunk sizes" }, { EVENT_UNBOUNDED_POST, "POST or PUT w/o content-length or chunks" }, - { EVENT_MULTIPLE_TRUEIP_IN_SESSION, "multiple true ips in a session" }, - { EVENT_BOTH_TRUEIP_XFF_HDRS, "both true-client-IP and XFF hdrs present" }, + // { EVENT_MULTIPLE_TRUEIP_IN_SESSION, "multiple true ips in a session" }, + // { EVENT_BOTH_TRUEIP_XFF_HDRS, "both true-client-IP and XFF hdrs present" }, { EVENT_UNKNOWN_METHOD, "unknown method" }, { EVENT_SIMPLE_REQUEST, "simple request" }, { EVENT_UNESCAPED_SPACE_URI, "unescaped space in HTTP URI" }, { EVENT_PIPELINE_MAX, "too many pipelined requests" }, - { EVENT_OBSOLETE_ANOM_SERVER, "obsolete event--deleted" }, + // { EVENT_OBSOLETE_ANOM_SERVER, "obsolete event--deleted" }, { EVENT_INVALID_STATCODE, "invalid status code in HTTP response" }, - { EVENT_UNUSED_1, "unused event number--should not appear" }, + // { EVENT_UNUSED_1, "unused event number--should not appear" }, { EVENT_UTF_NORM_FAIL, "HTTP response has UTF charset that failed to normalize" }, { EVENT_UTF7, "HTTP response has UTF-7 charset" }, - { EVENT_DECOMPR_FAILED, "HTTP response gzip decompression failed" }, - { EVENT_CONSECUTIVE_SMALL_CHUNKS_S, "server consecutive small chunk sizes" }, - { EVENT_UNUSED_2, "unused event number--should not appear" }, + // { EVENT_DECOMPR_FAILED, "HTTP response gzip decompression failed" }, + // { EVENT_CONSECUTIVE_SMALL_CHUNKS_S, "server consecutive small chunk sizes" }, + // { EVENT_UNUSED_2, "unused event number--should not appear" }, { EVENT_JS_OBFUSCATION_EXCD, "javascript obfuscation levels exceeds 1" }, { EVENT_JS_EXCESS_WS, "javascript whitespaces exceeds max allowed" }, { EVENT_MIXED_ENCODINGS, "multiple encodings within javascript obfuscated data" },