From 5ad7198dc0896cd832a5a54158d9ebecb953d77c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 18 Feb 2015 16:45:20 +0100
Subject: [PATCH] http: add libhtp uri warning event

Add event for libhtp warning added 0.5.17 for URI's with suspicious
delimeters.
---
 rules/http-events.rules | 4 +++-
 src/app-layer-htp.c     | 3 +++
 src/app-layer-htp.h     | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/http-events.rules b/rules/http-events.rules
index d5bb0f19a7..260ce34239 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -41,6 +41,8 @@ alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't ma
 alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;)
 # Host header is invalid
 alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;)
+# URI is terminated by non-compliant characters. RFC allows for space (0x20), but many implementations permit others like tab and more.
+alert http any any -> any any (msg:"SURICATA HTTP URI terminated by non-compliant character"; flow:established,to_server; app-layer-event:http.uri_delim_non_compliant; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221029; rev:1;)
 
-# next sid 2221029
+# next sid 2221030
 
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index b0038e20d1..316a5316d4 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -144,6 +144,8 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_URI_HOST_INVALID},
     { "REQUEST_HEADER_HOST_INVALID",
         HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+    { "URI_DELIM_NON_COMPLIANT",
+        HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
 
     /* suricata warnings/errors */
     { "MULTIPART_GENERIC_ERROR",
@@ -497,6 +499,7 @@ struct {
      * luckily, "Request server port=" is unique */
 /*    { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
     { "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
+    { "Request line: URI contains non-compliant delimiter", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
 };
 
 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 7fca45e03c..2526f30bfb 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -121,6 +121,7 @@ enum {
     HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH,
     HTTP_DECODER_EVENT_URI_HOST_INVALID,
     HTTP_DECODER_EVENT_HEADER_HOST_INVALID,
+    HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,