From 93d121bf211e946a93c3221eadfe4c2c403afd8c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 18 Jan 2012 20:04:07 +0100
Subject: [PATCH] Update app layer events for HTTP now that libhtp has fixes
 for some response errors.

---
 rules/http-events.rules | 5 ++++-
 src/app-layer-htp.c     | 9 ++++++++-
 src/app-layer-htp.h     | 2 ++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/rules/http-events.rules b/rules/http-events.rules
index 8e2eee9fe5..01054bdf13 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -9,6 +9,7 @@
 alert http any any -> any any (msg:"SURICATA HTTP unknown error"; flow:established; app-layer-event:http.unknown_error; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221000; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP gzip decompression failed"; flow:established; app-layer-event:http.gzip_decompression_failed; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221001; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP request field missing colon"; flow:established,to_server; app-layer-event:http.request_field_missing_colon; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221002; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP response field missing colon"; flow:established,to_client; app-layer-event:http.response_field_missing_colon; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221020; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid request chunk len"; flow:established,to_server; app-layer-event:http.invalid_request_chunk_len; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221003; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid response chunk len"; flow:established,to_client; app-layer-event:http.invalid_response_chunk_len; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221004; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding value in request"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221005; rev:1;)
@@ -19,11 +20,13 @@ alert http any any -> any any (msg:"SURICATA HTTP status 100-Continue already se
 alert http any any -> any any (msg:"SURICATA HTTP unable to match response to request"; flow:established,to_client; app-layer-event:http.unable_to_match_response_to_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221010; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid server port in request"; flow:established,to_server; app-layer-event:http.invalid_server_port_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221011; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid authority port"; flow:established; app-layer-event:http.invalid_authority_port; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221012; rev:1;)
-alert http any any -> any any (msg:"SURICATA HTTP header invalid"; flow:established; app-layer-event:http.header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP request header invalid"; flow:established,to_server; app-layer-event:http.request_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP response header invalid"; flow:established,to_client; app-layer-event:http.response_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP missing Host header"; flow:established,to_server; app-layer-event:http.missing_host_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221014; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid request field folding"; flow:established,to_server; app-layer-event:http.invalid_request_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP invalid response field folding"; flow:established,to_client; app-layer-event:http.invalid_response_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP request field too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP response field too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;)
+# next sid 2221022
 
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index dbac47db7e..d878b9a677 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -112,6 +112,8 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED},
     { "REQUEST_FIELD_MISSING_COLON",
         HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON},
+    { "RESPONSE_FIELD_MISSING_COLON",
+        HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON},
     { "INVALID_REQUEST_CHUNK_LEN",
         HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN},
     { "INVALID_RESPONSE_CHUNK_LEN",
@@ -132,8 +134,10 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST},
     { "INVALID_AUTHORITY_PORT",
         HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT},
-    { "HEADER_INVALID",
+    { "REQUEST_HEADER_INVALID",
         HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
+    { "RESPONSE_HEADER_INVALID",
+        HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
     { "MISSING_HOST_HEADER",
         HTTP_DECODER_EVENT_MISSING_HOST_HEADER},
     { "HOST_HEADER_AMBIGUOUS",
@@ -396,6 +400,7 @@ struct {
 } htp_errors[] = {
     { "GZip decompressor: inflateInit2 failed", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED},
     { "Request field invalid: colon missing", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON},
+    { "Response field invalid: colon missing", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON},
     { "Request chunk encoding: Invalid chunk length", HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN},
     { "Response chunk encoding: Invalid chunk length", HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN},
     { "Invalid T-E value in request", HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST},
@@ -416,7 +421,9 @@ struct {
 } htp_warnings[] = {
     { "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED},
     { "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
+    { "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
     { "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
+    { "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
     { "Host information in request headers required by HTTP/1.1", HTTP_DECODER_EVENT_MISSING_HOST_HEADER},
     { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS},
     { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING},
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 259a5cd920..9f7505a6ac 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -85,6 +85,7 @@ enum {
     HTTP_DECODER_EVENT_UNKNOWN_ERROR,
     HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED,
     HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON,
+    HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON,
     HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN,
     HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN,
     HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST,
@@ -96,6 +97,7 @@ enum {
     HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST,
     HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT,
     HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID,
+    HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID,
     HTTP_DECODER_EVENT_MISSING_HOST_HEADER,
     HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS,
     HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING,