From: Philippe Antoine Date: Tue, 5 Mar 2019 13:08:01 +0000 (+0100) Subject: New app layer event for invalid http request line X-Git-Tag: suricata-5.0.0-rc1~408 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5f3e03209922f1029b76a1a3570a3aca91659f5;p=thirdparty%2Fsuricata.git New app layer event for invalid http request line Handles logs from libhtp even if case of error --- diff --git a/rules/http-events.rules b/rules/http-events.rules index e0235180d0..b3197f5547 100644 --- a/rules/http-events.rules +++ b/rules/http-events.rules @@ -71,5 +71,7 @@ alert http any any -> any any (msg:"SURICATA HTTP Request line incomplete"; flow alert http any any -> any any (msg:"SURICATA HTTP Request double encoded URI"; flow:established,to_server; app-layer-event:http.double_encoded_uri; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221043; rev:1;) -# next sid 2221044 +alert http any any -> any any (msg:"SURICATA HTTP Invalid Request line"; flow:established,to_server; app-layer-event:http.request_line_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221044; rev:1;) +alert http any any -> any any (msg:"SURICATA HTTP Unexpected Request body"; flow:established,to_server; app-layer-event:http.request_body_unexpected; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221045; rev:1;) +# next sid 2221046 diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index be367a8677..a8a79e0317 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -138,6 +138,10 @@ SCEnumCharMap http_decoder_event_table[ ] = { HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG}, { "RESPONSE_FIELD_TOO_LONG", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG}, + { "REQUEST_LINE_INVALID", + HTTP_DECODER_EVENT_REQUEST_LINE_INVALID}, + { "REQUEST_BODY_UNEXPECTED", + HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED}, { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, { "REQUEST_URI_HOST_INVALID", @@ -539,6 +543,7 @@ struct { { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL}, { "Invalid response line: invalid response status", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS}, { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE}, + { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED}, }; #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0])) @@ -673,9 +678,16 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx) HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); if (htud == NULL) return; - HTPSetEvent(s, htud, HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED); } + if (tx->is_protocol_0_9 && tx->request_method_number == HTP_M_UNKNOWN && + (tx->request_protocol_number == HTP_PROTOCOL_INVALID || + tx->request_protocol_number == HTP_PROTOCOL_UNKNOWN)) { + HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); + if (htud == NULL) + return; + HTPSetEvent(s, htud, HTTP_DECODER_EVENT_REQUEST_LINE_INVALID); + } } static int Setup(Flow *f, HtpState *hstate) diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index ca439f0335..7bc2e5f3b2 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -116,6 +116,8 @@ enum { HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS, HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE, HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI, + HTTP_DECODER_EVENT_REQUEST_LINE_INVALID, + HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED, /* suricata errors/warnings */ HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,