From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Mon, 28 Mar 2022 12:03:02 +0000 (+0000)
Subject: Pull request #3322: http_inspect: delete alerts 119:279 and 119:280
X-Git-Tag: 3.1.27.0~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7a73d175856d57a26db6e4dff1497d9b1b26de8;p=thirdparty%2Fsnort3.git

Pull request #3322: http_inspect: delete alerts 119:279 and 119:280

Merge in SNORT/snort3 from ~OSERHIIE/snort3:js_revert_alerts to master

Squashed commit of the following:

commit 775c6d1df3daf505c2ea338af2942d607661665b
Author: Oleksandr Serhiienko <oserhiie@cisco.com>
Date:   Wed Mar 23 23:09:13 2022 +0200

    http_inspect: delete alerts 119:279 and 119:280

        * http_inspect: delete 119:279 and 119:280 alerts, use 119:109 and 119:111 instead
        * doc: update builtin_stubs
---

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index eaae05481..7a3965f8b 100644
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -867,7 +867,7 @@ HTTP response has Content-Type charset=utf-7.
 119:109
 
 More than one level of JavaScript obfuscation. This alert can only be generated when
-normalize_javascript  configuration option is true.
+normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.
 
 119:110
 
@@ -877,7 +877,7 @@ This alert can only be generated when normalize_javascript  configuration option
 119:111
 
 More than one encoding within JavaScript obfuscated data. This alert can only be generated when
-normalize_javascript  configuration option is true.
+normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.
 
 119:112
 
@@ -1299,17 +1299,6 @@ does not apply to HTTP/2 or HTTP/3 traffic.
 
 The HTTP message body is gzip encoded and the FEXTRA flag is set in the gzip header.
 
-119:279
-
-Detected nesting of unescape functions(unescape, decodeURI, decodeURIComponent) in JavaScript code. 
-Indicates that this code most likely has more than one level of obfuscation. This alert is raised
-by the enhanced JavaScript normalizer.
-
-119:280
-
-Detected more than one encoding within unescape function call arguments in JavaScript code.
-This alert is raised by the enhanced JavaScript normalizer.
-
 121:1
 
 Invalid flag set on HTTP/2 frame header
diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index d6821dbbf..7e28b3fcd 100755
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -294,8 +294,6 @@ enum Infraction
     INF_INVALID_SUBVERSION = 133,
     INF_VERSION_0 = 134,
     INF_GZIP_FEXTRA = 135,
-    INF_JS_UNESCAPE_NEST = 136,
-    INF_JS_MULTIPLE_ENC = 137,
     INF__MAX_VALUE
 };
 
@@ -434,8 +432,6 @@ enum EventSid
     EVENT_VERSION_0 = 276,
     EVENT_VERSION_HIGHER_THAN_1 = 277,
     EVENT_GZIP_FEXTRA = 278,
-    EVENT_JS_UNESCAPE_NEST = 279,
-    EVENT_JS_MULTIPLE_ENC = 280,
     EVENT__MAX_VALUE
 };
 
diff --git a/src/service_inspectors/http_inspect/http_js_norm.cc b/src/service_inspectors/http_inspect/http_js_norm.cc
index 671029976..deb0722f1 100644
--- a/src/service_inspectors/http_inspect/http_js_norm.cc
+++ b/src/service_inspectors/http_inspect/http_js_norm.cc
@@ -216,13 +216,13 @@ void HttpJsNorm::do_external(const Field& input, Field& output,
 
         if (js_ctx.is_unescape_nesting_seen())
         {
-            *infractions += INF_JS_UNESCAPE_NEST;
-            events->create_event(EVENT_JS_UNESCAPE_NEST);
+            *infractions += INF_JS_OBFUSCATION_EXCD;
+            events->create_event(EVENT_JS_OBFUSCATION_EXCD);
         }
         if (js_ctx.is_mixed_encoding_seen())
         {
-            *infractions += INF_JS_MULTIPLE_ENC;
-            events->create_event(EVENT_JS_MULTIPLE_ENC);
+            *infractions += INF_MIXED_ENCODINGS;
+            events->create_event(EVENT_MIXED_ENCODINGS);
         }
 
         if (ssn->js_built_in_event)
@@ -361,13 +361,13 @@ void HttpJsNorm::do_inline(const Field& input, Field& output,
         }
         if (js_ctx.is_unescape_nesting_seen())
         {
-            *infractions += INF_JS_UNESCAPE_NEST;
-            events->create_event(EVENT_JS_UNESCAPE_NEST);
+            *infractions += INF_JS_OBFUSCATION_EXCD;
+            events->create_event(EVENT_JS_OBFUSCATION_EXCD);
         }
         if (js_ctx.is_mixed_encoding_seen())
         {
-            *infractions += INF_JS_MULTIPLE_ENC;
-            events->create_event(EVENT_JS_MULTIPLE_ENC);
+            *infractions += INF_MIXED_ENCODINGS;
+            events->create_event(EVENT_MIXED_ENCODINGS);
         }
 
         script_continue = ret == JSTokenizer::SCRIPT_CONTINUE;
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index d68503d90..39f1dda20 100755
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -338,8 +338,6 @@ const RuleMap HttpModule::http_events[] =
     { EVENT_VERSION_0,                  "HTTP version in start line is 0" },
     { EVENT_VERSION_HIGHER_THAN_1,      "HTTP version in start line is higher than 1" },
     { EVENT_GZIP_FEXTRA,                "HTTP gzip body with the FEXTRA flag set" },
-    { EVENT_JS_UNESCAPE_NEST,           "nested unescape functions in JavaScript code" },
-    { EVENT_JS_MULTIPLE_ENC,            "mixing of escape formats in JavaScript code" },
     { 0, nullptr }
 };