From: Tom Peters (thopeter) Date: Fri, 29 Apr 2022 18:10:53 +0000 (+0000) Subject: Pull request #3399: Rule text updates X-Git-Tag: 3.1.29.0~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=560fb16e83ee7418e59ce9ff813fc8b6e0b5f917;p=thirdparty%2Fsnort3.git Pull request #3399: Rule text updates Merge in SNORT/snort3 from ~ADMAMOLE/snort3:rule_text_updates to master Squashed commit of the following: commit feb97b0a72375cac3e6a9b3a655ff6721a47965b Author: Adrian Mamolea Date: Wed Apr 27 12:35:18 2022 -0400 doc: rule text updates --- diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt index 7a3965f8b..123cee34f 100644 --- a/doc/reference/builtin_stubs.txt +++ b/doc/reference/builtin_stubs.txt @@ -4,19 +4,19 @@ A tagged packet was logged. 105:1 -Back orifice traffic detected, unknown direction +Back Orifice traffic detected, unknown direction 105:2 -Back orifice client traffic detected +Back Orifice client traffic detected 105:3 -Back orifice server traffic detected +Back Orifice server traffic detected 105:4 -Back orifice length field >= 1024 bytes +Back Orifice length field >= 1024 bytes 106:1 @@ -732,7 +732,7 @@ specific unreserved characters that are exempted from triggering this alert. 119:2 -URI is percent encoded and the result is percent encoded again. This alert can only be generated if +URI contains double-encoded hexadecimal characters. This alert can only be generated if the iis_double_decode option is configured. 119:3 @@ -765,7 +765,7 @@ generated if the simplify_path option is configured. 119:9 The backslash character appears in the path portion of a URI. This alert can only be generated if -the backslash_to_slash option is configured. +the backslash_to_slash option is configured 119:10 @@ -1364,7 +1364,7 @@ HTTP/2 dynamic table has more than 512 entries 121:15 -HTTP/2 push promise frame with promised stream ID already in use. +HTTP/2 push promise frame with promised stream ID already in use 121:16 diff --git a/src/service_inspectors/back_orifice/back_orifice.cc b/src/service_inspectors/back_orifice/back_orifice.cc index 6f9e1dd05..44360be25 100644 --- a/src/service_inspectors/back_orifice/back_orifice.cc +++ b/src/service_inspectors/back_orifice/back_orifice.cc @@ -159,13 +159,13 @@ static THREAD_LOCAL SimpleStats bostats; #define BO_SNORT_BUFFER_ATTACK 4 #define BO_TRAFFIC_DETECT_STR \ - "Back orifice traffic detected, unknown direction" + "Back Orifice traffic detected, unknown direction" #define BO_CLIENT_TRAFFIC_DETECT_STR \ - "Back orifice client traffic detected" + "Back Orifice client traffic detected" #define BO_SERVER_TRAFFIC_DETECT_STR \ - "Back orifice server traffic detected" + "Back Orifice server traffic detected" #define BO_SNORT_BUFFER_ATTACK_STR \ - "Back orifice length field >= 1024 bytes" + "Back Orifice length field >= 1024 bytes" static const RuleMap bo_rules[] = { diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc index 2e03b2b75..a62339a24 100644 --- a/src/service_inspectors/http2_inspect/http2_tables.cc +++ b/src/service_inspectors/http2_inspect/http2_tables.cc @@ -45,7 +45,7 @@ const RuleMap Http2Module::http2_events[] = { EVENT_SETTINGS_FRAME_UNKN_PARAM, "unknown parameter in HTTP/2 settings frame" }, { EVENT_FRAME_SEQUENCE, "invalid HTTP/2 frame sequence" }, { EVENT_DYNAMIC_TABLE_OVERFLOW, "HTTP/2 dynamic table has more than 512 entries" }, - { EVENT_INVALID_PROMISED_STREAM, "HTTP/2 push promise frame with promised stream ID already in use." }, + { EVENT_INVALID_PROMISED_STREAM, "HTTP/2 push promise frame with promised stream ID already in use" }, { EVENT_PADDING_LEN, "HTTP/2 padding length is bigger than frame data size" }, { EVENT_PSEUDO_HEADER_AFTER_REGULAR_HEADER, "HTTP/2 pseudo-header after regular header" }, { EVENT_PSEUDO_HEADER_IN_TRAILERS, "HTTP/2 pseudo-header in trailers" }, diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 72e0c56d9..f6e9018f3 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -202,15 +202,14 @@ const StrCode HttpMsgHeadShared::transfer_encoding_list[] = const RuleMap HttpModule::http_events[] = { { EVENT_ASCII, "URI has percent-encoding of an unreserved character" }, - { EVENT_DOUBLE_DECODE, "URI is percent encoded and the result is percent encoded " - "again" }, + { EVENT_DOUBLE_DECODE, "URI contains double-encoded hexadecimal characters" }, { EVENT_U_ENCODE, "URI has non-standard %u-style Unicode encoding" }, { EVENT_BARE_BYTE, "URI has Unicode encodings containing bytes that were not " "percent-encoded" }, { EVENT_UTF_8, "URI has two-byte or three-byte UTF-8 encoding" }, { EVENT_CODE_POINT_IN_URI, "URI has unicode map code point encoding" }, { EVENT_MULTI_SLASH, "URI path contains consecutive slash characters" }, - { EVENT_BACKSLASH_IN_URI, "backslash character appears in the path portion of a URI." + { EVENT_BACKSLASH_IN_URI, "backslash character appears in the path portion of a URI" }, { EVENT_SELF_DIR_TRAV, "URI path contains /./ pattern repeating the current " "directory" }, @@ -331,11 +330,11 @@ const RuleMap HttpModule::http_events[] = { EVENT_JS_CODE_IN_EXTERNAL, "JavaScript code under the external script tags" }, { EVENT_JS_SHORTENED_TAG, "script opening tag in a short form" }, { EVENT_JS_IDENTIFIER_OVERFLOW, "max number of unique JavaScript identifiers reached" }, - { EVENT_JS_BRACKET_NEST_OVERFLOW, "JavaScript bracket nesting is over capacity" }, + { EVENT_JS_BRACKET_NEST_OVERFLOW, "excessive JavaScript bracket nesting" }, { EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding " "header" }, { EVENT_JS_PDU_MISS, "missed PDUs during JavaScript normalization" }, - { EVENT_JS_SCOPE_NEST_OVERFLOW, "JavaScript scope nesting is over capacity" }, + { EVENT_JS_SCOPE_NEST_OVERFLOW, "excessive JavaScript scope nesting" }, { EVENT_INVALID_SUBVERSION, "HTTP/1 version other than 1.0 or 1.1" }, { EVENT_VERSION_0, "HTTP version in start line is 0" }, { EVENT_VERSION_HIGHER_THAN_1, "HTTP version in start line is higher than 1" },