From: Jaime Andres Castillo Leon -X (jaimeaca - SOFTSERVE INC at Cisco) Date: Tue, 30 Jul 2024 15:30:11 +0000 (+0000) Subject: Pull request #4401: http_inspect: add peg counts for gzip, known-not-supported, and... X-Git-Tag: 3.3.3.0~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f466bf32b9b76a0e68015a8b8633097a7b2362c0;p=thirdparty%2Fsnort3.git Pull request #4401: http_inspect: add peg counts for gzip, known-not-supported, and unknown Merge in SNORT/snort3 from ~JAIMEACA/snort3:US-750344-compression_pegs to master Squashed commit of the following: commit a02f4c8ea7dca6fca4fcc1495a0dc4bfdf642406 Author: Jaime Andres Castillo Leon -X (jaimeaca - SOFTSERVE INC at Cisco) Date: Mon Jul 29 10:30:20 2024 -0400 http_inspect: add peg counts for gzip, known-not-supported, and unknown --- diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index b9d3d85da..4c5be4a88 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -68,7 +68,8 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, PEG_SCRIPT_DETECTION, PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY, PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_TOTAL_BYTES, PEG_JS_INLINE, PEG_JS_EXTERNAL, - PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COUNT_MAX }; + PEG_JS_PDF, PEG_SKIP_MIME_ATTACH, PEG_COMPRESSED_GZIP, PEG_COMPRESSED_NOT_SUPPORTED, + PEG_COMPRESSED_UNKNOWN, PEG_COUNT_MAX}; // Result of scanning by splitter enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE, diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index 40e0028c9..648a8b355 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -609,6 +609,7 @@ void HttpMsgHeader::setup_encoding_decompression() { case CONTENTCODE_GZIP: case CONTENTCODE_X_GZIP: + HttpModule::increment_peg_counts(PEG_COMPRESSED_GZIP); compression = CMP_GZIP; break; case CONTENTCODE_DEFLATE: @@ -622,11 +623,13 @@ void HttpMsgHeader::setup_encoding_decompression() break; case CONTENTCODE__OTHER: // The ones we never heard of + HttpModule::increment_peg_counts(PEG_COMPRESSED_UNKNOWN); add_infraction(INF_UNKNOWN_ENCODING); create_event(EVENT_UNKNOWN_ENCODING); break; default: // The ones we know by name but don't support + HttpModule::increment_peg_counts(PEG_COMPRESSED_NOT_SUPPORTED); add_infraction(INF_UNSUPPORTED_ENCODING); create_event(EVENT_UNSUPPORTED_ENCODING); break; diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index f49a83955..5cc31714d 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -389,6 +389,9 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] = { CountType::SUM, "js_external_scripts", "total number of external JavaScripts processed" }, { CountType::SUM, "js_pdf_scripts", "total number of PDF files processed" }, { CountType::SUM, "skip_mime_attach", "total number of HTTP requests with too many MIME attachments to inspect" }, + { CountType::SUM, "compressed_gzip", "total number of HTTP bodies compressed with GZIP" }, + { CountType::SUM, "compressed_not_supported", "total number of HTTP bodies compressed with known but not supported methods" }, + { CountType::SUM, "compressed_unknown", "total number of HTTP bodies compressed with unknown methods" }, { CountType::END, nullptr, nullptr } };