http: event on request line missing protocol

Ticket: 6856
2 years ago · 45bb936187
parent 8284df3ed4
commit 45bb936187
3 changed files with 6 additions and 1 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -91,4 +91,6 @@ alert http any any -> any any (msg:"SURICATA HTTP failed protocol change"; flow:

 #alert http any any -> any any (msg:"SURICATA HTTP request chunk extension"; flow:established; app-layer-event:http.request_chunk_extension; classtype:protocol-command-decode; sid:2221054; rev:1;)

-# next sid 2221055
+alert http any any -> any any (msg:"SURICATA HTTP request missing protocol"; flow:established,to_server; app-layer-event:http.request_line_missing_protocol; classtype:protocol-command-decode; sid:2221055; rev:1;)
+
+# next sid 2221056
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -167,6 +167,7 @@ SCEnumCharMap http_decoder_event_table[] = {

    { "RANGE_INVALID", HTTP_DECODER_EVENT_RANGE_INVALID },
    { "REQUEST_CHUNK_EXTENSION", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
+    { "REQUEST_LINE_MISSING_PROTOCOL", HTTP_DECODER_EVENT_REQUEST_LINE_MISSING_PROTOCOL },

    /* suricata warnings/errors */
    { "MULTIPART_GENERIC_ERROR", HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR },
@ -642,6 +643,7 @@ struct {
    { "Ambiguous response C-L value",
            HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
    { "Request chunk extension", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
+    { "Request line: missing protocol", HTTP_DECODER_EVENT_REQUEST_LINE_MISSING_PROTOCOL },
 };

 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -128,6 +128,7 @@ enum {

    HTTP_DECODER_EVENT_RANGE_INVALID,
    HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION,
+    HTTP_DECODER_EVENT_REQUEST_LINE_MISSING_PROTOCOL,

    /* suricata errors/warnings */
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,