From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Thu, 26 May 2022 15:57:54 +0000 (+0000)
Subject: Pull request #3443: US 750083 http2_inspect: add alert for too long non-DATA frame
X-Git-Tag: 3.1.31.0~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb9e8abc6fe2b3c2afa3321ac79775ad3423a3f0;p=thirdparty%2Fsnort3.git

Pull request #3443: US 750083 http2_inspect: add alert for too long non-DATA frame

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:alert_long_no_data_frame to master

Squashed commit of the following:

commit 59b023f3586ae55d751a4d282f572f3276fa0cdc
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Fri May 20 17:13:11 2022 -0400

    http2_inspect: add alert and infraction for non-Data frame too long
---

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index 123cee34f..62f0c0719 100644
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -1459,6 +1459,10 @@ HTTP/2 HPACK table size update exceeds max value set by decoder in SETTINGS fram
 
 Nonempty HTTP/2 Data frame where a message body was not expected.
 
+121:38
+
+HTTP/2 non-Data frame longer than 63780 bytes
+
 122:1
 
 Basic one host to one host TCP portscan where multiple TCP ports are scanned on
diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h
index 1b7371da2..466291fce 100644
--- a/src/service_inspectors/http2_inspect/http2_enum.h
+++ b/src/service_inspectors/http2_inspect/http2_enum.h
@@ -93,6 +93,7 @@ enum EventSid
     EVENT_MORE_THAN_2_TABLE_SIZE_UPDATES = 35,
     EVENT_HPACK_TABLE_SIZE_UPDATE_EXCEEDS_MAX = 36,
     EVENT_UNEXPECTED_DATA_FRAME = 37,
+    EVENT_NON_DATA_FRAME_TOO_LONG = 38,
     EVENT__MAX_VALUE
 };
 
@@ -149,6 +150,7 @@ enum Infraction
     INF_INVALID_WINDOW_UPDATE_FRAME = 46,
     INF_WINDOW_UPDATE_FRAME_ZERO_INCREMENT = 47,
     INF_UNEXPECTED_DATA_FRAME = 48,
+    INF_NON_DATA_FRAME_TOO_LONG = 49,
     INF__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
index 854242e31..54f31faa2 100644
--- a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
+++ b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc
@@ -238,7 +238,8 @@ StreamSplitter::Status Http2StreamSplitter::implement_scan(Http2FlowData* sessio
                 if ((type != FT_DATA) && (frame_length + FRAME_HEADER_LENGTH > MAX_OCTETS))
                 {
                     // FIXIT-E long non-data frames may need to be supported
-                    // FIXIT-E need an alert and infraction
+                    *session_data->infractions[source_id] += INF_NON_DATA_FRAME_TOO_LONG;
+                    session_data->events[source_id]->create_event(EVENT_NON_DATA_FRAME_TOO_LONG);
                     return StreamSplitter::ABORT;
                 }
 
diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc
index a62339a24..0c724274c 100644
--- a/src/service_inspectors/http2_inspect/http2_tables.cc
+++ b/src/service_inspectors/http2_inspect/http2_tables.cc
@@ -71,6 +71,7 @@ const RuleMap Http2Module::http2_events[] =
     { EVENT_HPACK_TABLE_SIZE_UPDATE_EXCEEDS_MAX,
         "HTTP/2 HPACK table size update exceeds max value set by decoder in SETTINGS frame" },
     { EVENT_UNEXPECTED_DATA_FRAME, "Nonempty HTTP/2 Data frame where message body not expected" },
+    { EVENT_NON_DATA_FRAME_TOO_LONG, "HTTP/2 non-Data frame longer than 63780 bytes" },
     { 0, nullptr }
 };