http: add new events for invalid host header and host part of uri

diff --git a/rules/http-events.rules b/rules/http-events.rules
index e17641857fba30edcb9fd0ee484de281eb2b0bb6..d5bb0f19a7e05be913a8a6442a1cd8284e8aa122 100644 (file)
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -37,5 +37,10 @@ alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:e
 alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;)
 # Warn when the port in the Host: header doesn't match the actual TCP Server port.
 alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;)
-# next sid 2221026
+# Host part of URI is invalid
+alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;)
+# Host header is invalid
+alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;)
+
+# next sid 2221029
 

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index f1d728c1aa031f912f0e0c0fe398a71e1b6f9b1b..8f80b6122675eed17efde919d52b66b38685b63f 100644 (file)
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -139,6 +139,11 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
     { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH",
         HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
+    { "REQUEST_URI_HOST_INVALID",
+        HTTP_DECODER_EVENT_URI_HOST_INVALID},
+    { "REQUEST_HEADER_HOST_INVALID",
+        HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+
     /* suricata warnings/errors */
     { "MULTIPART_GENERIC_ERROR",
         HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR},
@@ -564,7 +569,8 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
     BUG_ON(s == NULL || tx == NULL);
 #endif
     if (tx->flags & (   HTP_REQUEST_INVALID_T_E|HTP_REQUEST_INVALID_C_L|
-                        HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS))
+                        HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS|HTP_HOSTU_INVALID|
+                        HTP_HOSTH_INVALID))
     {
         if (tx->flags & HTP_REQUEST_INVALID_T_E)
             AppLayerDecoderEventsSetEvent(s->f,
@@ -578,6 +584,12 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
         if (tx->flags & HTP_HOST_AMBIGUOUS)
             AppLayerDecoderEventsSetEvent(s->f,
                     HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS);
+        if (tx->flags & HTP_HOSTU_INVALID)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_URI_HOST_INVALID);
+        if (tx->flags & HTP_HOSTH_INVALID)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_HEADER_HOST_INVALID);
     }
 }
 

diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 126e98d247a9fc136e055860f48ebb3ab7e0da71..7785bf01c98297cd7e004ebec3acc804d90a7d25 100644 (file)
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -113,6 +113,8 @@ enum {
     HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG,
     HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG,
     HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH,
+    HTTP_DECODER_EVENT_URI_HOST_INVALID,
+    HTTP_DECODER_EVENT_HEADER_HOST_INVALID,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,