From: Victor Julien <victor@inliniac.net>
Date: Thu, 5 Jul 2018 08:01:47 +0000 (+0200)
Subject: http: set events for too many layers of compression
X-Git-Tag: suricata-4.1.0-rc1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0cded2523b0d05f5052cbea3fe258da0fd0b772;p=thirdparty%2Fsuricata.git

http: set events for too many layers of compression

libhtp would already issue warnings, but these were not mapped
to events yet.
---

diff --git a/rules/http-events.rules b/rules/http-events.rules
index 3c83a68411..bd81e55925 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -48,5 +48,9 @@ alert http any any -> any any (msg:"SURICATA HTTP METHOD terminated by non-compl
 # Request line started with whitespace
 alert http any any -> any any (msg:"SURICATA HTTP Request line with leading whitespace"; flow:established,to_server; app-layer-event:http.request_line_leading_whitespace; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221031; rev:1;)
 
-# next sid 2221032
+
+alert http any any -> any any (msg:"SURICATA HTTP Request too many encoding layers"; flow:established,to_server; app-layer-event:http.too_many_encoding_layers; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221032; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP Request abnormal Content-Encoding header"; flow:established,to_server; app-layer-event:http.abnormal_ce_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221033; rev:1;)
+
+# next sid 2221034
 
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 2fe57f8738..1aa035f512 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -150,6 +150,10 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT},
     { "REQUEST_LINE_LEADING_WHITESPACE",
         HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE},
+    { "TOO_MANY_ENCODING_LAYERS",
+        HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS},
+    { "ABNORMAL_CE_HEADER",
+        HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
 
     /* suricata warnings/errors */
     { "MULTIPART_GENERIC_ERROR",
@@ -501,6 +505,10 @@ struct {
     { "Request line: URI contains non-compliant delimiter", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
     { "Request line: non-compliant delimiter between Method and URI", HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT},
     { "Request line: leading whitespace", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE},
+    { "Too many response content encoding layers", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS},
+    { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
+    { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
+    { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
 };
 
 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 3bf0476777..be30f07039 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -104,6 +104,8 @@ enum {
     HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT,
     HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT,
     HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE,
+    HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS,
+    HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,