From: Victor Julien <victor@inliniac.net>
Date: Tue, 1 Oct 2013 10:20:07 +0000 (+0200)
Subject: http: update http rules
X-Git-Tag: suricata-2.0beta2~247
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85f13c4e2857befe80627393549352410aedc4dd;p=thirdparty%2Fsuricata.git

http: update http rules
---

diff --git a/rules/http-events.rules b/rules/http-events.rules
index 0563ca17ad..e17641857f 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -2,7 +2,7 @@
 #
 # SID's fall in the 2221000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
 #
-# These sigs fire at most once per connection.
+# These sigs fire at most once per HTTP transaction.
 #
 # A flowint http.anomaly.count is incremented for each match. By default it will be 0.
 #
@@ -27,8 +27,8 @@ alert http any any -> any any (msg:"SURICATA HTTP missing Host header"; flow:est
 alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid request field folding"; flow:established,to_server; app-layer-event:http.invalid_request_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid response field folding"; flow:established,to_client; app-layer-event:http.invalid_response_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; rev:1;)
-alert http any any -> any any (msg:"SURICATA HTTP request field too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
-alert http any any -> any any (msg:"SURICATA HTTP response field too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)
 # Multipart parser detected generic error.
 alert http any any -> any any (msg:"SURICATA HTTP multipart generic error"; flow:established,to_server; app-layer-event:http.multipart_generic_error; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221022; rev:1;)
 # Multipart header claiming a file to present, but no actual filedata available.