From: Philippe Antoine Date: Thu, 6 Feb 2025 15:09:10 +0000 (+0100) Subject: http: aliases for htp log code X-Git-Tag: suricata-8.0.0-beta1~399 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e73de3d80eb40086d5d271192e0f409e70e281d;p=thirdparty%2Fsuricata.git http: aliases for htp log code In preparation of libhtp rust --- diff --git a/src/app-layer-htp-libhtp.h b/src/app-layer-htp-libhtp.h index 8988b2ca84..ba68eba043 100644 --- a/src/app-layer-htp-libhtp.h +++ b/src/app-layer-htp-libhtp.h @@ -96,6 +96,66 @@ #define HTP_RESPONSE_PROGRESS_TRAILER HTP_RESPONSE_TRAILER #define HTP_RESPONSE_PROGRESS_COMPLETE HTP_RESPONSE_COMPLETE +#define HTP_LOG_CODE_UNKNOWN HTTP_DECODER_EVENT_UNKNOWN_ERROR +#define HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED +#define HTP_LOG_CODE_REQUEST_FIELD_MISSING_COLON HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON +#define HTP_LOG_CODE_RESPONSE_FIELD_MISSING_COLON HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON +#define HTP_LOG_CODE_INVALID_REQUEST_CHUNK_LEN HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN +#define HTP_LOG_CODE_INVALID_RESPONSE_CHUNK_LEN HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN +#define HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST \ + HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST +#define HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE \ + HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE +#define HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST \ + HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST +#define HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE \ + HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE +#define HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST \ + HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST +#define HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE \ + HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE +#define HTP_LOG_CODE_CONTINUE_ALREADY_SEEN HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN +#define HTP_LOG_CODE_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST \ + HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST +#define HTP_LOG_CODE_INVALID_SERVER_PORT_IN_REQUEST \ + HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST +#define HTP_LOG_CODE_INVALID_AUTHORITY_PORT HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT +#define HTP_LOG_CODE_REQUEST_HEADER_INVALID HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID +#define HTP_LOG_CODE_RESPONSE_HEADER_INVALID HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID +#define HTP_LOG_CODE_MISSING_HOST_HEADER HTTP_DECODER_EVENT_MISSING_HOST_HEADER +#define HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS +#define HTP_LOG_CODE_INVALID_REQUEST_FIELD_FOLDING HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING +#define HTP_LOG_CODE_INVALID_RESPONSE_FIELD_FOLDING \ + HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING +#define HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG +#define HTP_LOG_CODE_RESPONSE_FIELD_TOO_LONG HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG +#define HTP_LOG_CODE_FILE_NAME_TOO_LONG HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG +#define HTP_LOG_CODE_REQUEST_LINE_INVALID HTTP_DECODER_EVENT_REQUEST_LINE_INVALID +#define HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED +#define HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH \ + HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH +#define HTP_LOG_CODE_URI_HOST_INVALID HTTP_DECODER_EVENT_URI_HOST_INVALID +#define HTP_LOG_CODE_HEADER_HOST_INVALID HTTP_DECODER_EVENT_HEADER_HOST_INVALID +#define HTP_LOG_CODE_AUTH_UNRECOGNIZED HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED +#define HTP_LOG_CODE_REQUEST_HEADER_REPETITION HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION +#define HTP_LOG_CODE_RESPONSE_HEADER_REPETITION HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION +#define HTP_LOG_CODE_DOUBLE_ENCODED_URI HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI +#define HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT +#define HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT +#define HTP_LOG_CODE_REQUEST_LINE_LEADING_WHITESPACE \ + HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE +#define HTP_LOG_CODE_TOO_MANY_ENCODING_LAYERS HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS +#define HTP_LOG_CODE_ABNORMAL_CE_HEADER HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER +#define HTP_LOG_CODE_RESPONSE_MULTIPART_BYTERANGES HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES +#define HTP_LOG_CODE_RESPONSE_ABNORMAL_TRANSFER_ENCODING \ + HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING +#define HTP_LOG_CODE_RESPONSE_CHUNKED_OLD_PROTO HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO +#define HTP_LOG_CODE_RESPONSE_INVALID_PROTOCOL HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL +#define HTP_LOG_CODE_RESPONSE_INVALID_STATUS HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS +#define HTP_LOG_CODE_REQUEST_LINE_INCOMPLETE HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE +#define HTP_LOG_CODE_LZMA_MEMLIMIT_REACHED HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED +#define HTP_LOG_CODE_COMPRESSION_BOMB HTTP_DECODER_EVENT_COMPRESSION_BOMB + // Functions introduced to handle opaque htp_tx_t #define htp_tx_flags(tx) tx->flags #define htp_tx_is_protocol_0_9(tx) tx->is_protocol_0_9 diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index dd19d6df69..190aa4ea15 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -103,63 +103,60 @@ static uint64_t htp_state_memcnt = 0; #endif SCEnumCharMap http_decoder_event_table[] = { - { "UNKNOWN_ERROR", HTTP_DECODER_EVENT_UNKNOWN_ERROR }, - { "GZIP_DECOMPRESSION_FAILED", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED }, - { "REQUEST_FIELD_MISSING_COLON", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON }, - { "RESPONSE_FIELD_MISSING_COLON", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON }, - { "INVALID_REQUEST_CHUNK_LEN", HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN }, - { "INVALID_RESPONSE_CHUNK_LEN", HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN }, + { "UNKNOWN_ERROR", HTP_LOG_CODE_UNKNOWN }, + { "GZIP_DECOMPRESSION_FAILED", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED }, + { "REQUEST_FIELD_MISSING_COLON", HTP_LOG_CODE_REQUEST_FIELD_MISSING_COLON }, + { "RESPONSE_FIELD_MISSING_COLON", HTP_LOG_CODE_RESPONSE_FIELD_MISSING_COLON }, + { "INVALID_REQUEST_CHUNK_LEN", HTP_LOG_CODE_INVALID_REQUEST_CHUNK_LEN }, + { "INVALID_RESPONSE_CHUNK_LEN", HTP_LOG_CODE_INVALID_RESPONSE_CHUNK_LEN }, { "INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST", - HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST }, + HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST }, { "INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE", - HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE }, + HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE }, { "INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST", - HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST }, + HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST }, { "INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE", - HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE }, + HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE }, { "DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST", - HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST }, + HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST }, { "DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE", - HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE }, - { "100_CONTINUE_ALREADY_SEEN", HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN }, - { "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST", - HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST }, - { "INVALID_SERVER_PORT_IN_REQUEST", HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST }, - { "INVALID_AUTHORITY_PORT", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT }, - { "REQUEST_HEADER_INVALID", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID }, - { "RESPONSE_HEADER_INVALID", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID }, - { "MISSING_HOST_HEADER", HTTP_DECODER_EVENT_MISSING_HOST_HEADER }, - { "HOST_HEADER_AMBIGUOUS", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS }, - { "INVALID_REQUEST_FIELD_FOLDING", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING }, - { "INVALID_RESPONSE_FIELD_FOLDING", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING }, - { "REQUEST_FIELD_TOO_LONG", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG }, - { "RESPONSE_FIELD_TOO_LONG", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG }, - { "FILE_NAME_TOO_LONG", HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG }, - { "REQUEST_LINE_INVALID", HTTP_DECODER_EVENT_REQUEST_LINE_INVALID }, - { "REQUEST_BODY_UNEXPECTED", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED }, - { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", - HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH }, - { "REQUEST_URI_HOST_INVALID", HTTP_DECODER_EVENT_URI_HOST_INVALID }, - { "REQUEST_HEADER_HOST_INVALID", HTTP_DECODER_EVENT_HEADER_HOST_INVALID }, - { "REQUEST_AUTH_UNRECOGNIZED", HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED }, - { "REQUEST_HEADER_REPETITION", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION }, - { "RESPONSE_HEADER_REPETITION", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION }, - { "DOUBLE_ENCODED_URI", HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI }, - { "URI_DELIM_NON_COMPLIANT", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT }, - { "METHOD_DELIM_NON_COMPLIANT", HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT }, - { "REQUEST_LINE_LEADING_WHITESPACE", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE }, - { "TOO_MANY_ENCODING_LAYERS", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS }, - { "ABNORMAL_CE_HEADER", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER }, - { "RESPONSE_MULTIPART_BYTERANGES", HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES }, - { "RESPONSE_ABNORMAL_TRANSFER_ENCODING", - HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING }, - { "RESPONSE_CHUNKED_OLD_PROTO", HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO }, - { "RESPONSE_INVALID_PROTOCOL", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL }, - { "RESPONSE_INVALID_STATUS", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS }, - { "REQUEST_LINE_INCOMPLETE", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE }, - - { "LZMA_MEMLIMIT_REACHED", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED }, - { "COMPRESSION_BOMB", HTTP_DECODER_EVENT_COMPRESSION_BOMB }, + HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE }, + { "100_CONTINUE_ALREADY_SEEN", HTP_LOG_CODE_CONTINUE_ALREADY_SEEN }, + { "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST", HTP_LOG_CODE_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST }, + { "INVALID_SERVER_PORT_IN_REQUEST", HTP_LOG_CODE_INVALID_SERVER_PORT_IN_REQUEST }, + { "INVALID_AUTHORITY_PORT", HTP_LOG_CODE_INVALID_AUTHORITY_PORT }, + { "REQUEST_HEADER_INVALID", HTP_LOG_CODE_REQUEST_HEADER_INVALID }, + { "RESPONSE_HEADER_INVALID", HTP_LOG_CODE_RESPONSE_HEADER_INVALID }, + { "MISSING_HOST_HEADER", HTP_LOG_CODE_MISSING_HOST_HEADER }, + { "HOST_HEADER_AMBIGUOUS", HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS }, + { "INVALID_REQUEST_FIELD_FOLDING", HTP_LOG_CODE_INVALID_REQUEST_FIELD_FOLDING }, + { "INVALID_RESPONSE_FIELD_FOLDING", HTP_LOG_CODE_INVALID_RESPONSE_FIELD_FOLDING }, + { "REQUEST_FIELD_TOO_LONG", HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG }, + { "RESPONSE_FIELD_TOO_LONG", HTP_LOG_CODE_RESPONSE_FIELD_TOO_LONG }, + { "FILE_NAME_TOO_LONG", HTP_LOG_CODE_FILE_NAME_TOO_LONG }, + { "REQUEST_LINE_INVALID", HTP_LOG_CODE_REQUEST_LINE_INVALID }, + { "REQUEST_BODY_UNEXPECTED", HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED }, + { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH }, + { "REQUEST_URI_HOST_INVALID", HTP_LOG_CODE_URI_HOST_INVALID }, + { "REQUEST_HEADER_HOST_INVALID", HTP_LOG_CODE_HEADER_HOST_INVALID }, + { "REQUEST_AUTH_UNRECOGNIZED", HTP_LOG_CODE_AUTH_UNRECOGNIZED }, + { "REQUEST_HEADER_REPETITION", HTP_LOG_CODE_REQUEST_HEADER_REPETITION }, + { "RESPONSE_HEADER_REPETITION", HTP_LOG_CODE_RESPONSE_HEADER_REPETITION }, + { "DOUBLE_ENCODED_URI", HTP_LOG_CODE_DOUBLE_ENCODED_URI }, + { "URI_DELIM_NON_COMPLIANT", HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT }, + { "METHOD_DELIM_NON_COMPLIANT", HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT }, + { "REQUEST_LINE_LEADING_WHITESPACE", HTP_LOG_CODE_REQUEST_LINE_LEADING_WHITESPACE }, + { "TOO_MANY_ENCODING_LAYERS", HTP_LOG_CODE_TOO_MANY_ENCODING_LAYERS }, + { "ABNORMAL_CE_HEADER", HTP_LOG_CODE_ABNORMAL_CE_HEADER }, + { "RESPONSE_MULTIPART_BYTERANGES", HTP_LOG_CODE_RESPONSE_MULTIPART_BYTERANGES }, + { "RESPONSE_ABNORMAL_TRANSFER_ENCODING", HTP_LOG_CODE_RESPONSE_ABNORMAL_TRANSFER_ENCODING }, + { "RESPONSE_CHUNKED_OLD_PROTO", HTP_LOG_CODE_RESPONSE_CHUNKED_OLD_PROTO }, + { "RESPONSE_INVALID_PROTOCOL", HTP_LOG_CODE_RESPONSE_INVALID_PROTOCOL }, + { "RESPONSE_INVALID_STATUS", HTP_LOG_CODE_RESPONSE_INVALID_STATUS }, + { "REQUEST_LINE_INCOMPLETE", HTP_LOG_CODE_REQUEST_LINE_INCOMPLETE }, + + { "LZMA_MEMLIMIT_REACHED", HTP_LOG_CODE_LZMA_MEMLIMIT_REACHED }, + { "COMPRESSION_BOMB", HTP_LOG_CODE_COMPRESSION_BOMB }, { "RANGE_INVALID", HTTP_DECODER_EVENT_RANGE_INVALID }, { "REQUEST_CHUNK_EXTENSION", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION }, @@ -562,81 +559,73 @@ struct { const char *msg; uint8_t de; } htp_errors[] = { - { "GZip decompressor: inflateInit2 failed", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED }, - { "Request field invalid: colon missing", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON }, - { "Response field invalid: missing colon", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON }, - { "Request chunk encoding: Invalid chunk length", - HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN }, - { "Response chunk encoding: Invalid chunk length", - HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN }, + { "GZip decompressor: inflateInit2 failed", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED }, + { "Request field invalid: colon missing", HTP_LOG_CODE_REQUEST_FIELD_MISSING_COLON }, + { "Response field invalid: missing colon", HTP_LOG_CODE_RESPONSE_FIELD_MISSING_COLON }, + { "Request chunk encoding: Invalid chunk length", HTP_LOG_CODE_INVALID_REQUEST_CHUNK_LEN }, + { "Response chunk encoding: Invalid chunk length", HTP_LOG_CODE_INVALID_RESPONSE_CHUNK_LEN }, /* { "Invalid T-E value in request", - HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST}, <- tx flag + HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST}, <- tx flag HTP_FLAGS_REQUEST_INVALID_T_E { "Invalid T-E value in response", - HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE}, <- nothing to replace it */ + HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE}, <- nothing to replace it */ /* { "Invalid C-L field in request", - HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST}, <- tx flag + HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST}, <- tx flag HTP_FLAGS_REQUEST_INVALID_C_L */ - { "Invalid C-L field in response", - HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE }, - { "Already seen 100-Continue", HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN }, - { "Unable to match response to request", - HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST }, - { "Invalid server port information in request", - HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST }, - /* { "Invalid authority port", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT}, htp no longer + { "Invalid C-L field in response", HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE }, + { "Already seen 100-Continue", HTP_LOG_CODE_CONTINUE_ALREADY_SEEN }, + { "Unable to match response to request", HTP_LOG_CODE_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST }, + { "Invalid server port information in request", HTP_LOG_CODE_INVALID_SERVER_PORT_IN_REQUEST }, + /* { "Invalid authority port", HTP_LOG_CODE_INVALID_AUTHORITY_PORT}, htp no longer returns this error */ - { "Request buffer over", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG }, - { "Response buffer over", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG }, + { "Request buffer over", HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG }, + { "Response buffer over", HTP_LOG_CODE_RESPONSE_FIELD_TOO_LONG }, { "C-T multipart/byteranges in responses not supported", - HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES }, - { "Compression bomb:", HTTP_DECODER_EVENT_COMPRESSION_BOMB }, + HTP_LOG_CODE_RESPONSE_MULTIPART_BYTERANGES }, + { "Compression bomb:", HTP_LOG_CODE_COMPRESSION_BOMB }, }; struct { const char *msg; uint8_t de; } htp_warnings[] = { - { "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED }, - { "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID }, - { "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID }, - { "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID }, - { "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID }, + { "GZip decompressor:", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED }, + { "Request field invalid", HTP_LOG_CODE_REQUEST_HEADER_INVALID }, + { "Response field invalid", HTP_LOG_CODE_RESPONSE_HEADER_INVALID }, + { "Request header name is not a token", HTP_LOG_CODE_REQUEST_HEADER_INVALID }, + { "Response header name is not a token", HTP_LOG_CODE_RESPONSE_HEADER_INVALID }, /* { "Host information in request headers required by HTTP/1.1", - HTTP_DECODER_EVENT_MISSING_HOST_HEADER}, <- tx flag HTP_FLAGS_HOST_MISSING { "Host - information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, <- tx flag + HTP_LOG_CODE_MISSING_HOST_HEADER}, <- tx flag HTP_FLAGS_HOST_MISSING { "Host + information ambiguous", HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS}, <- tx flag HTP_FLAGS_HOST_AMBIGUOUS */ - { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING }, - { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING }, + { "Invalid request field folding", HTP_LOG_CODE_INVALID_REQUEST_FIELD_FOLDING }, + { "Invalid response field folding", HTP_LOG_CODE_INVALID_RESPONSE_FIELD_FOLDING }, /* line is now: htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request server port=%d number * differs from the actual TCP port=%d", port, connp->conn->server_port); luckily, "Request * server port=" is unique */ /* { "Request server port number differs from the actual TCP port", - HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */ - { "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH }, - { "Request line: URI contains non-compliant delimiter", - HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT }, + HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */ + { "Request server port=", HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH }, + { "Request line: URI contains non-compliant delimiter", HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT }, { "Request line: non-compliant delimiter between Method and URI", - HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT }, - { "Request line: leading whitespace", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE }, - { "Too many response content encoding layers", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS }, - { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER }, - { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER }, - { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER }, - { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION }, - { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION }, + HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT }, + { "Request line: leading whitespace", HTP_LOG_CODE_REQUEST_LINE_LEADING_WHITESPACE }, + { "Too many response content encoding layers", HTP_LOG_CODE_TOO_MANY_ENCODING_LAYERS }, + { "C-E gzip has abnormal value", HTP_LOG_CODE_ABNORMAL_CE_HEADER }, + { "C-E deflate has abnormal value", HTP_LOG_CODE_ABNORMAL_CE_HEADER }, + { "C-E unknown setting", HTP_LOG_CODE_ABNORMAL_CE_HEADER }, + { "Excessive request header repetitions", HTP_LOG_CODE_REQUEST_HEADER_REPETITION }, + { "Excessive response header repetitions", HTP_LOG_CODE_RESPONSE_HEADER_REPETITION }, { "Transfer-encoding has abnormal chunked value", - HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING }, + HTP_LOG_CODE_RESPONSE_ABNORMAL_TRANSFER_ENCODING }, { "Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0", - HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO }, - { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL }, - { "Invalid response line: invalid response status", - HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS }, - { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE }, - { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED }, - { "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED }, - { "Ambiguous request C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST }, - { "Ambiguous response C-L value", - HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE }, + HTP_LOG_CODE_RESPONSE_CHUNKED_OLD_PROTO }, + { "Invalid response line: invalid protocol", HTP_LOG_CODE_RESPONSE_INVALID_PROTOCOL }, + { "Invalid response line: invalid response status", HTP_LOG_CODE_RESPONSE_INVALID_STATUS }, + { "Request line incomplete", HTP_LOG_CODE_REQUEST_LINE_INCOMPLETE }, + { "Unexpected request body", HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED }, + { "LZMA decompressor: memory limit reached", HTP_LOG_CODE_LZMA_MEMLIMIT_REACHED }, + { "Ambiguous request C-L value", HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST }, + { "Ambiguous response C-L value", HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE }, { "Request chunk extension", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION }, { "Request line: missing protocol", HTTP_DECODER_EVENT_REQUEST_LINE_MISSING_PROTOCOL }, { "Too many request headers", HTTP_DECODER_EVENT_REQUEST_TOO_MANY_HEADERS }, @@ -740,7 +729,7 @@ static void HTPHandleError(HtpState *s, const uint8_t dir) if (id == 0) { id = HTPHandleWarningGetId(log->msg); if (id == 0) - id = HTTP_DECODER_EVENT_UNKNOWN_ERROR; + id = HTP_LOG_CODE_UNKNOWN; } if (id > 0) { @@ -765,29 +754,24 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, const htp_tx_t *tx) if (htp_tx_flags(tx) & HTP_FLAGS_REQUEST_INVALID_T_E) HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST); + HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST); if (htp_tx_flags(tx) & HTP_FLAGS_REQUEST_INVALID_C_L) - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST); + HTPSetEvent( + s, htud, STREAM_TOSERVER, HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST); if (htp_tx_flags(tx) & HTP_FLAGS_HOST_MISSING) - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_MISSING_HOST_HEADER); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_MISSING_HOST_HEADER); if (htp_tx_flags(tx) & HTP_FLAGS_HOST_AMBIGUOUS) - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS); if (htp_tx_flags(tx) & HTP_FLAGS_HOSTU_INVALID) - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_URI_HOST_INVALID); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_URI_HOST_INVALID); if (htp_tx_flags(tx) & HTP_FLAGS_HOSTH_INVALID) - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_HEADER_HOST_INVALID); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_HEADER_HOST_INVALID); } if (htp_tx_request_auth_type(tx) == HTP_AUTH_TYPE_UNRECOGNIZED) { HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return; - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_AUTH_UNRECOGNIZED); } if (htp_tx_is_protocol_0_9(tx) && htp_tx_request_method_number(tx) == HTP_METHOD_UNKNOWN && (htp_tx_request_protocol_number(tx) == HTP_PROTOCOL_INVALID || @@ -795,8 +779,7 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, const htp_tx_t *tx) HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return; - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_REQUEST_LINE_INVALID); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED); } } @@ -1309,7 +1292,7 @@ static int HtpRequestBodyHandlePOSTorPUT(HtpState *hstate, HtpTxUserData *htud, if (filename_len > SC_FILENAME_MAX) { // explicitly truncate the file name if too long filename_len = SC_FILENAME_MAX; - HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG); + HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_LINE_INVALID); } result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len, STREAM_TOSERVER); @@ -1385,7 +1368,7 @@ static int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud, const ht if (filename_len > SC_FILENAME_MAX) { // explicitly truncate the file name if too long filename_len = SC_FILENAME_MAX; - HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG); + HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_LINE_INVALID); } if (h_content_range != NULL) { result = HTPFileOpenWithRange(hstate, htud, filename, (uint16_t)filename_len, data, @@ -1988,8 +1971,7 @@ static int HTPCallbackDoubleDecodeUriPart(htp_tx_t *tx, bstr *part) HtpState *s = htp_connp_get_user_data(tx->connp); if (s == NULL) return HTP_STATUS_OK; - HTPSetEvent(s, htud, STREAM_TOSERVER, - HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI); + HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_DOUBLE_ENCODED_URI); } return HTP_STATUS_OK; @@ -5098,7 +5080,7 @@ libhtp:\n\ PASS; } -/** \test Test really long request, this should result in HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG */ +/** \test Test really long request, this should result in HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG */ static int HTPParserTest14(void) { size_t len = 18887; @@ -5180,7 +5162,7 @@ libhtp:\n\ AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP1, txtmp); FAIL_IF_NULL(decoder_events); - FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG); + FAIL_IF(decoder_events->events[0] != HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG); AppLayerParserThreadCtxFree(alp_tctx); StreamTcpFreeConfig(true); @@ -5292,7 +5274,7 @@ libhtp:\n\ PASS; } -/** \test Test unusual delims in request line HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG */ +/** \test Test unusual delims in request line HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG */ static int HTPParserTest16(void) { Flow *f = NULL; @@ -5340,8 +5322,8 @@ static int HTPParserTest16(void) AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP1, txtmp); FAIL_IF_NULL(decoder_events); - FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT); - FAIL_IF(decoder_events->events[1] != HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT); + FAIL_IF(decoder_events->events[0] != HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT); + FAIL_IF(decoder_events->events[1] != HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT); #endif diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index 0400818149..a7e3dee6e8 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -37,44 +37,6 @@ #include "app-layer-frames.h" #include -// Temporary include directly app-layer-htp-libhtp.h -// This helps libhtp.rs transition by making small steps -// app-layer-htp-libhtp.h will be removed with libhtp.rs final merge -#include "app-layer-htp-libhtp.h" - -/* default request body limit */ -#define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U -#define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U -#define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U -#define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U -#define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U -#define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U -#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U -#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U - -#define HTP_CONFIG_DEFAULT_LZMA_LAYERS 0U -/* default libhtp lzma limit, taken from libhtp. */ -#define HTP_CONFIG_DEFAULT_LZMA_MEMLIMIT 1048576U -#define HTP_CONFIG_DEFAULT_COMPRESSION_BOMB_LIMIT 1048576U -// 100000 usec is 0.1 sec -#define HTP_CONFIG_DEFAULT_COMPRESSION_TIME_LIMIT 100000 - -#define HTP_CONFIG_DEFAULT_RANDOMIZE 1 -#define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10 - -// 0x0001 not used -#define HTP_FLAG_STATE_CLOSED_TS 0x0002 /**< Flag to indicate that HTTP - connection is closed */ -#define HTP_FLAG_STATE_CLOSED_TC \ - 0x0004 /**< Flag to indicate that HTTP \ - connection is closed */ - -enum { - HTP_BODY_REQUEST_NONE = 0, - HTP_BODY_REQUEST_MULTIPART, /* POST, MP */ - HTP_BODY_REQUEST_POST, /* POST, no MP */ - HTP_BODY_REQUEST_PUT, -}; enum { /* libhtp errors/warnings */ @@ -143,6 +105,46 @@ enum { HTTP_DECODER_EVENT_FAILED_PROTOCOL_CHANGE, }; +// Temporary include directly app-layer-htp-libhtp.h +// This helps libhtp.rs transition by making small steps +// app-layer-htp-libhtp.h will be removed with libhtp.rs final merge +#include "app-layer-htp-libhtp.h" + +/* default request body limit */ +#define HTP_CONFIG_DEFAULT_REQUEST_BODY_LIMIT 4096U +#define HTP_CONFIG_DEFAULT_RESPONSE_BODY_LIMIT 4096U +#define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_MIN_SIZE 32768U +#define HTP_CONFIG_DEFAULT_REQUEST_INSPECT_WINDOW 4096U +#define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_MIN_SIZE 32768U +#define HTP_CONFIG_DEFAULT_RESPONSE_INSPECT_WINDOW 4096U +#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_SOFT 9000U +#define HTP_CONFIG_DEFAULT_FIELD_LIMIT_HARD 18000U + +#define HTP_CONFIG_DEFAULT_LZMA_LAYERS 0U +/* default libhtp lzma limit, taken from libhtp. */ +#define HTP_CONFIG_DEFAULT_LZMA_MEMLIMIT 1048576U +#define HTP_CONFIG_DEFAULT_COMPRESSION_BOMB_LIMIT 1048576U +// 100000 usec is 0.1 sec +#define HTP_CONFIG_DEFAULT_COMPRESSION_TIME_LIMIT 100000 + +#define HTP_CONFIG_DEFAULT_RANDOMIZE 1 +#define HTP_CONFIG_DEFAULT_RANDOMIZE_RANGE 10 + +// 0x0001 not used +#define HTP_FLAG_STATE_CLOSED_TS \ + 0x0002 /**< Flag to indicate that HTTP \ + connection is closed */ +#define HTP_FLAG_STATE_CLOSED_TC \ + 0x0004 /**< Flag to indicate that HTTP \ + connection is closed */ + +enum { + HTP_BODY_REQUEST_NONE = 0, + HTP_BODY_REQUEST_MULTIPART, /* POST, MP */ + HTP_BODY_REQUEST_POST, /* POST, no MP */ + HTP_BODY_REQUEST_PUT, +}; + typedef enum HtpSwfCompressType_ { HTTP_SWF_COMPRESSION_NONE = 0, HTTP_SWF_COMPRESSION_ZLIB,