From: Tom Peters (thopeter) Date: Thu, 31 Mar 2022 15:57:20 +0000 (+0000) Subject: Pull request #3321: US 670672: O365: Add capability to identify microsoft headers... X-Git-Tag: 3.1.27.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e302b45c734eacfcb102e5328b1be4fe9a39348;p=thirdparty%2Fsnort3.git Pull request #3321: US 670672: O365: Add capability to identify microsoft headers in NHI Merge in SNORT/snort3 from ~MDAGON/snort3:tenant to master Squashed commit of the following: commit f96fc2a190605055565dd5e7d616884cde125c25 Author: Maya Dagon Date: Thu Mar 24 11:23:57 2022 -0400 http_inspect: support headers Restrict-Access-To-Tenants, Restrict-Access-Context --- diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index 7e28b3fcd..6c6df7423 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -140,6 +140,7 @@ enum TransferEncoding { TE__OTHER=1, TE_CHUNKED, TE_IDENTITY }; enum Upgrade { UP__OTHER=1, UP_H2C, UP_H2, UP_HTTP20 }; // Every header we have ever heard of +// Note: when making changes here also update NormalizedHeader::header_norms enum HeaderId { HEAD__NOT_COMPUTE=-14, HEAD__PROBLEMATIC=-12, HEAD__NOT_PRESENT=-11, HEAD__OTHER=1, HEAD_CACHE_CONTROL, HEAD_CONNECTION, HEAD_DATE, HEAD_PRAGMA, HEAD_TRAILER, HEAD_COOKIE, HEAD_SET_COOKIE, HEAD_TRANSFER_ENCODING, HEAD_UPGRADE, HEAD_VIA, HEAD_WARNING, HEAD_ACCEPT, @@ -152,7 +153,8 @@ enum HeaderId { HEAD__NOT_COMPUTE=-14, HEAD__PROBLEMATIC=-12, HEAD__NOT_PRESENT= HEAD_CONTENT_LENGTH, HEAD_CONTENT_LOCATION, HEAD_CONTENT_MD5, HEAD_CONTENT_RANGE, HEAD_CONTENT_TYPE, HEAD_EXPIRES, HEAD_LAST_MODIFIED, HEAD_X_FORWARDED_FOR, HEAD_TRUE_CLIENT_IP, HEAD_X_WORKING_WITH, HEAD_CONTENT_TRANSFER_ENCODING, HEAD_MIME_VERSION, HEAD_PROXY_AGENT, - HEAD_CONTENT_DISPOSITION, HEAD_HTTP2_SETTINGS, HEAD__MAX_VALUE }; + HEAD_CONTENT_DISPOSITION, HEAD_HTTP2_SETTINGS, HEAD_RESTRICT_ACCESS_TO_TENANTS, + HEAD_RESTRICT_ACCESS_CONTEXT, HEAD__MAX_VALUE }; // All the infractions we might find while parsing and analyzing a message enum Infraction diff --git a/src/service_inspectors/http_inspect/http_normalized_header.cc b/src/service_inspectors/http_inspect/http_normalized_header.cc index 3448fcfb7..53d5c0969 100644 --- a/src/service_inspectors/http_inspect/http_normalized_header.cc +++ b/src/service_inspectors/http_inspect/http_normalized_header.cc @@ -163,6 +163,8 @@ const NormalizedHeader::HeaderNormalizer* const NormalizedHeader::header_norms[H &NORMALIZER_BASIC, // HEAD_PROXY_AGENT &NORMALIZER_BASIC, // HEAD_CONTENT_DISPOSITION &NORMALIZER_TOKEN_LIST, // HEAD_HTTP2_SETTINGS + &NORMALIZER_BASIC, // HEAD_RESTRICT_ACCESS_TO_TENANTS + &NORMALIZER_BASIC, // HEAD_RESTRICT_ACCESS_CONTEXT &NORMALIZER_BASIC, // HEAD__MAX_VALUE &NORMALIZER_BASIC, // HEAD_CUSTOM_XFF_HEADER &NORMALIZER_BASIC, // HEAD_CUSTOM_XFF_HEADER diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 39f1dda20..72e0c56d9 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -83,64 +83,66 @@ const StrCode HttpMsgRequest::method_list[] = const StrCode HttpMsgHeadShared::header_list[] = { - { HEAD_CACHE_CONTROL, "cache-control" }, - { HEAD_CONNECTION, "connection" }, - { HEAD_DATE, "date" }, - { HEAD_PRAGMA, "pragma" }, - { HEAD_TRAILER, "trailer" }, - { HEAD_COOKIE, "cookie" }, - { HEAD_SET_COOKIE, "set-cookie" }, - { HEAD_TRANSFER_ENCODING, "transfer-encoding" }, - { HEAD_UPGRADE, "upgrade" }, - { HEAD_VIA, "via" }, - { HEAD_WARNING, "warning" }, - { HEAD_ACCEPT, "accept" }, - { HEAD_ACCEPT_CHARSET, "accept-charset" }, - { HEAD_ACCEPT_ENCODING, "accept-encoding" }, - { HEAD_ACCEPT_LANGUAGE, "accept-language" }, - { HEAD_AUTHORIZATION, "authorization" }, - { HEAD_EXPECT, "expect" }, - { HEAD_FROM, "from" }, - { HEAD_HOST, "host" }, - { HEAD_IF_MATCH, "if-match" }, - { HEAD_IF_MODIFIED_SINCE, "if-modified-since" }, - { HEAD_IF_NONE_MATCH, "if-none-match" }, - { HEAD_IF_RANGE, "if-range" }, - { HEAD_IF_UNMODIFIED_SINCE, "if-unmodified-since" }, - { HEAD_MAX_FORWARDS, "max-forwards" }, - { HEAD_PROXY_AUTHORIZATION, "proxy-authorization" }, - { HEAD_RANGE, "range" }, - { HEAD_REFERER, "referer" }, - { HEAD_TE, "te" }, - { HEAD_USER_AGENT, "user-agent" }, - { HEAD_ACCEPT_RANGES, "accept-ranges" }, - { HEAD_AGE, "age" }, - { HEAD_ETAG, "etag" }, - { HEAD_LOCATION, "location" }, - { HEAD_PROXY_AUTHENTICATE, "proxy-authenticate" }, - { HEAD_RETRY_AFTER, "retry-after" }, - { HEAD_SERVER, "server" }, - { HEAD_VARY, "vary" }, - { HEAD_WWW_AUTHENTICATE, "www-authenticate" }, - { HEAD_ALLOW, "allow" }, - { HEAD_CONTENT_ENCODING, "content-encoding" }, - { HEAD_CONTENT_LANGUAGE, "content-language" }, - { HEAD_CONTENT_LENGTH, "content-length" }, - { HEAD_CONTENT_LOCATION, "content-location" }, - { HEAD_CONTENT_MD5, "content-md5" }, - { HEAD_CONTENT_RANGE, "content-range" }, - { HEAD_CONTENT_TYPE, "content-type" }, - { HEAD_EXPIRES, "expires" }, - { HEAD_LAST_MODIFIED, "last-modified" }, - { HEAD_X_FORWARDED_FOR, "x-forwarded-for" }, - { HEAD_TRUE_CLIENT_IP, "true-client-ip" }, - { HEAD_X_WORKING_WITH, "x-working-with" }, - { HEAD_CONTENT_TRANSFER_ENCODING, "content-transfer-encoding" }, - { HEAD_MIME_VERSION, "mime-version" }, - { HEAD_PROXY_AGENT, "proxy-agent" }, - { HEAD_CONTENT_DISPOSITION, "content-disposition" }, - { HEAD_HTTP2_SETTINGS, "http2-settings" }, - { 0, nullptr } + { HEAD_CACHE_CONTROL, "cache-control" }, + { HEAD_CONNECTION, "connection" }, + { HEAD_DATE, "date" }, + { HEAD_PRAGMA, "pragma" }, + { HEAD_TRAILER, "trailer" }, + { HEAD_COOKIE, "cookie" }, + { HEAD_SET_COOKIE, "set-cookie" }, + { HEAD_TRANSFER_ENCODING, "transfer-encoding" }, + { HEAD_UPGRADE, "upgrade" }, + { HEAD_VIA, "via" }, + { HEAD_WARNING, "warning" }, + { HEAD_ACCEPT, "accept" }, + { HEAD_ACCEPT_CHARSET, "accept-charset" }, + { HEAD_ACCEPT_ENCODING, "accept-encoding" }, + { HEAD_ACCEPT_LANGUAGE, "accept-language" }, + { HEAD_AUTHORIZATION, "authorization" }, + { HEAD_EXPECT, "expect" }, + { HEAD_FROM, "from" }, + { HEAD_HOST, "host" }, + { HEAD_IF_MATCH, "if-match" }, + { HEAD_IF_MODIFIED_SINCE, "if-modified-since" }, + { HEAD_IF_NONE_MATCH, "if-none-match" }, + { HEAD_IF_RANGE, "if-range" }, + { HEAD_IF_UNMODIFIED_SINCE, "if-unmodified-since" }, + { HEAD_MAX_FORWARDS, "max-forwards" }, + { HEAD_PROXY_AUTHORIZATION, "proxy-authorization" }, + { HEAD_RANGE, "range" }, + { HEAD_REFERER, "referer" }, + { HEAD_TE, "te" }, + { HEAD_USER_AGENT, "user-agent" }, + { HEAD_ACCEPT_RANGES, "accept-ranges" }, + { HEAD_AGE, "age" }, + { HEAD_ETAG, "etag" }, + { HEAD_LOCATION, "location" }, + { HEAD_PROXY_AUTHENTICATE, "proxy-authenticate" }, + { HEAD_RETRY_AFTER, "retry-after" }, + { HEAD_SERVER, "server" }, + { HEAD_VARY, "vary" }, + { HEAD_WWW_AUTHENTICATE, "www-authenticate" }, + { HEAD_ALLOW, "allow" }, + { HEAD_CONTENT_ENCODING, "content-encoding" }, + { HEAD_CONTENT_LANGUAGE, "content-language" }, + { HEAD_CONTENT_LENGTH, "content-length" }, + { HEAD_CONTENT_LOCATION, "content-location" }, + { HEAD_CONTENT_MD5, "content-md5" }, + { HEAD_CONTENT_RANGE, "content-range" }, + { HEAD_CONTENT_TYPE, "content-type" }, + { HEAD_EXPIRES, "expires" }, + { HEAD_LAST_MODIFIED, "last-modified" }, + { HEAD_X_FORWARDED_FOR, "x-forwarded-for" }, + { HEAD_TRUE_CLIENT_IP, "true-client-ip" }, + { HEAD_X_WORKING_WITH, "x-working-with" }, + { HEAD_CONTENT_TRANSFER_ENCODING, "content-transfer-encoding" }, + { HEAD_MIME_VERSION, "mime-version" }, + { HEAD_PROXY_AGENT, "proxy-agent" }, + { HEAD_CONTENT_DISPOSITION, "content-disposition" }, + { HEAD_HTTP2_SETTINGS, "http2-settings" }, + { HEAD_RESTRICT_ACCESS_TO_TENANTS, "restrict-access-to-tenants" }, + { HEAD_RESTRICT_ACCESS_CONTEXT, "restrict-access-context" }, + { 0, nullptr } }; const StrCode HttpMsgHeadShared::content_code_list[] =