From b6b7778e2d8ab86735326fc382a61ebca744330b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 May 2019 12:38:17 +0200 Subject: [PATCH] http: adds event for header repetition --- rules/http-events.rules | 5 ++++- src/app-layer-htp.c | 6 ++++++ src/app-layer-htp.h | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/http-events.rules b/rules/http-events.rules index 5d6d2875c9..c3ce564634 100644 --- a/rules/http-events.rules +++ b/rules/http-events.rules @@ -54,5 +54,8 @@ alert http any any -> any any (msg:"SURICATA HTTP Request abnormal Content-Encod alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;) -# next sid 2221035 +alert http any any -> any any (msg:"SURICATA HTTP Request excessive header repetition"; flow:established,to_server; app-layer-event:http.request_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221035; rev:1;) +alert http any any -> any any (msg:"SURICATA HTTP Response excessive header repetition"; flow:established,to_client; app-layer-event:http.response_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221036; rev:1;) + +# next sid 2221037 diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 636e252454..67138bb406 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -146,6 +146,10 @@ SCEnumCharMap http_decoder_event_table[ ] = { HTTP_DECODER_EVENT_HEADER_HOST_INVALID}, { "REQUEST_AUTH_UNRECOGNIZED", HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED}, + { "REQUEST_HEADER_REPETITION", + HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION}, + { "RESPONSE_HEADER_REPETITION", + HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION}, { "URI_DELIM_NON_COMPLIANT", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT}, { "METHOD_DELIM_NON_COMPLIANT", @@ -513,6 +517,8 @@ struct { { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER}, { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER}, { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER}, + { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION}, + { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION}, }; #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0])) diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index 17dcc84e54..cf78a96224 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -107,6 +107,8 @@ enum { HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS, HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER, HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED, + HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION, + HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION, /* suricata errors/warnings */ HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR, -- 2.47.2