|
|
|
|
@ -103,63 +103,60 @@ static uint64_t htp_state_memcnt = 0;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
SCEnumCharMap http_decoder_event_table[] = {
|
|
|
|
|
{ "UNKNOWN_ERROR", HTTP_DECODER_EVENT_UNKNOWN_ERROR },
|
|
|
|
|
{ "GZIP_DECOMPRESSION_FAILED", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "REQUEST_FIELD_MISSING_COLON", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON },
|
|
|
|
|
{ "RESPONSE_FIELD_MISSING_COLON", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON },
|
|
|
|
|
{ "INVALID_REQUEST_CHUNK_LEN", HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN },
|
|
|
|
|
{ "INVALID_RESPONSE_CHUNK_LEN", HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN },
|
|
|
|
|
{ "UNKNOWN_ERROR", HTP_LOG_CODE_UNKNOWN },
|
|
|
|
|
{ "GZIP_DECOMPRESSION_FAILED", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "REQUEST_FIELD_MISSING_COLON", HTP_LOG_CODE_REQUEST_FIELD_MISSING_COLON },
|
|
|
|
|
{ "RESPONSE_FIELD_MISSING_COLON", HTP_LOG_CODE_RESPONSE_FIELD_MISSING_COLON },
|
|
|
|
|
{ "INVALID_REQUEST_CHUNK_LEN", HTP_LOG_CODE_INVALID_REQUEST_CHUNK_LEN },
|
|
|
|
|
{ "INVALID_RESPONSE_CHUNK_LEN", HTP_LOG_CODE_INVALID_RESPONSE_CHUNK_LEN },
|
|
|
|
|
{ "INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST },
|
|
|
|
|
HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST },
|
|
|
|
|
{ "INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE },
|
|
|
|
|
HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE },
|
|
|
|
|
{ "INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
{ "INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST",
|
|
|
|
|
HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
{ "DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE",
|
|
|
|
|
HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "100_CONTINUE_ALREADY_SEEN", HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN },
|
|
|
|
|
{ "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST",
|
|
|
|
|
HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST },
|
|
|
|
|
{ "INVALID_SERVER_PORT_IN_REQUEST", HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST },
|
|
|
|
|
{ "INVALID_AUTHORITY_PORT", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT },
|
|
|
|
|
{ "REQUEST_HEADER_INVALID", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "RESPONSE_HEADER_INVALID", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID },
|
|
|
|
|
{ "MISSING_HOST_HEADER", HTTP_DECODER_EVENT_MISSING_HOST_HEADER },
|
|
|
|
|
{ "HOST_HEADER_AMBIGUOUS", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS },
|
|
|
|
|
{ "INVALID_REQUEST_FIELD_FOLDING", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING },
|
|
|
|
|
{ "INVALID_RESPONSE_FIELD_FOLDING", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING },
|
|
|
|
|
{ "REQUEST_FIELD_TOO_LONG", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG },
|
|
|
|
|
{ "RESPONSE_FIELD_TOO_LONG", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG },
|
|
|
|
|
{ "FILE_NAME_TOO_LONG", HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG },
|
|
|
|
|
{ "REQUEST_LINE_INVALID", HTTP_DECODER_EVENT_REQUEST_LINE_INVALID },
|
|
|
|
|
{ "REQUEST_BODY_UNEXPECTED", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED },
|
|
|
|
|
{ "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH",
|
|
|
|
|
HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH },
|
|
|
|
|
{ "REQUEST_URI_HOST_INVALID", HTTP_DECODER_EVENT_URI_HOST_INVALID },
|
|
|
|
|
{ "REQUEST_HEADER_HOST_INVALID", HTTP_DECODER_EVENT_HEADER_HOST_INVALID },
|
|
|
|
|
{ "REQUEST_AUTH_UNRECOGNIZED", HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED },
|
|
|
|
|
{ "REQUEST_HEADER_REPETITION", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION },
|
|
|
|
|
{ "RESPONSE_HEADER_REPETITION", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION },
|
|
|
|
|
{ "DOUBLE_ENCODED_URI", HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI },
|
|
|
|
|
{ "URI_DELIM_NON_COMPLIANT", HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "METHOD_DELIM_NON_COMPLIANT", HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "REQUEST_LINE_LEADING_WHITESPACE", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE },
|
|
|
|
|
{ "TOO_MANY_ENCODING_LAYERS", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS },
|
|
|
|
|
{ "ABNORMAL_CE_HEADER", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "RESPONSE_MULTIPART_BYTERANGES", HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES },
|
|
|
|
|
{ "RESPONSE_ABNORMAL_TRANSFER_ENCODING",
|
|
|
|
|
HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING },
|
|
|
|
|
{ "RESPONSE_CHUNKED_OLD_PROTO", HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO },
|
|
|
|
|
{ "RESPONSE_INVALID_PROTOCOL", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL },
|
|
|
|
|
{ "RESPONSE_INVALID_STATUS", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS },
|
|
|
|
|
{ "REQUEST_LINE_INCOMPLETE", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE },
|
|
|
|
|
|
|
|
|
|
{ "LZMA_MEMLIMIT_REACHED", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED },
|
|
|
|
|
{ "COMPRESSION_BOMB", HTTP_DECODER_EVENT_COMPRESSION_BOMB },
|
|
|
|
|
HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "100_CONTINUE_ALREADY_SEEN", HTP_LOG_CODE_CONTINUE_ALREADY_SEEN },
|
|
|
|
|
{ "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST", HTP_LOG_CODE_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST },
|
|
|
|
|
{ "INVALID_SERVER_PORT_IN_REQUEST", HTP_LOG_CODE_INVALID_SERVER_PORT_IN_REQUEST },
|
|
|
|
|
{ "INVALID_AUTHORITY_PORT", HTP_LOG_CODE_INVALID_AUTHORITY_PORT },
|
|
|
|
|
{ "REQUEST_HEADER_INVALID", HTP_LOG_CODE_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "RESPONSE_HEADER_INVALID", HTP_LOG_CODE_RESPONSE_HEADER_INVALID },
|
|
|
|
|
{ "MISSING_HOST_HEADER", HTP_LOG_CODE_MISSING_HOST_HEADER },
|
|
|
|
|
{ "HOST_HEADER_AMBIGUOUS", HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS },
|
|
|
|
|
{ "INVALID_REQUEST_FIELD_FOLDING", HTP_LOG_CODE_INVALID_REQUEST_FIELD_FOLDING },
|
|
|
|
|
{ "INVALID_RESPONSE_FIELD_FOLDING", HTP_LOG_CODE_INVALID_RESPONSE_FIELD_FOLDING },
|
|
|
|
|
{ "REQUEST_FIELD_TOO_LONG", HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG },
|
|
|
|
|
{ "RESPONSE_FIELD_TOO_LONG", HTP_LOG_CODE_RESPONSE_FIELD_TOO_LONG },
|
|
|
|
|
{ "FILE_NAME_TOO_LONG", HTP_LOG_CODE_FILE_NAME_TOO_LONG },
|
|
|
|
|
{ "REQUEST_LINE_INVALID", HTP_LOG_CODE_REQUEST_LINE_INVALID },
|
|
|
|
|
{ "REQUEST_BODY_UNEXPECTED", HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED },
|
|
|
|
|
{ "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH },
|
|
|
|
|
{ "REQUEST_URI_HOST_INVALID", HTP_LOG_CODE_URI_HOST_INVALID },
|
|
|
|
|
{ "REQUEST_HEADER_HOST_INVALID", HTP_LOG_CODE_HEADER_HOST_INVALID },
|
|
|
|
|
{ "REQUEST_AUTH_UNRECOGNIZED", HTP_LOG_CODE_AUTH_UNRECOGNIZED },
|
|
|
|
|
{ "REQUEST_HEADER_REPETITION", HTP_LOG_CODE_REQUEST_HEADER_REPETITION },
|
|
|
|
|
{ "RESPONSE_HEADER_REPETITION", HTP_LOG_CODE_RESPONSE_HEADER_REPETITION },
|
|
|
|
|
{ "DOUBLE_ENCODED_URI", HTP_LOG_CODE_DOUBLE_ENCODED_URI },
|
|
|
|
|
{ "URI_DELIM_NON_COMPLIANT", HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "METHOD_DELIM_NON_COMPLIANT", HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "REQUEST_LINE_LEADING_WHITESPACE", HTP_LOG_CODE_REQUEST_LINE_LEADING_WHITESPACE },
|
|
|
|
|
{ "TOO_MANY_ENCODING_LAYERS", HTP_LOG_CODE_TOO_MANY_ENCODING_LAYERS },
|
|
|
|
|
{ "ABNORMAL_CE_HEADER", HTP_LOG_CODE_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "RESPONSE_MULTIPART_BYTERANGES", HTP_LOG_CODE_RESPONSE_MULTIPART_BYTERANGES },
|
|
|
|
|
{ "RESPONSE_ABNORMAL_TRANSFER_ENCODING", HTP_LOG_CODE_RESPONSE_ABNORMAL_TRANSFER_ENCODING },
|
|
|
|
|
{ "RESPONSE_CHUNKED_OLD_PROTO", HTP_LOG_CODE_RESPONSE_CHUNKED_OLD_PROTO },
|
|
|
|
|
{ "RESPONSE_INVALID_PROTOCOL", HTP_LOG_CODE_RESPONSE_INVALID_PROTOCOL },
|
|
|
|
|
{ "RESPONSE_INVALID_STATUS", HTP_LOG_CODE_RESPONSE_INVALID_STATUS },
|
|
|
|
|
{ "REQUEST_LINE_INCOMPLETE", HTP_LOG_CODE_REQUEST_LINE_INCOMPLETE },
|
|
|
|
|
|
|
|
|
|
{ "LZMA_MEMLIMIT_REACHED", HTP_LOG_CODE_LZMA_MEMLIMIT_REACHED },
|
|
|
|
|
{ "COMPRESSION_BOMB", HTP_LOG_CODE_COMPRESSION_BOMB },
|
|
|
|
|
|
|
|
|
|
{ "RANGE_INVALID", HTTP_DECODER_EVENT_RANGE_INVALID },
|
|
|
|
|
{ "REQUEST_CHUNK_EXTENSION", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
|
|
|
|
|
@ -562,81 +559,73 @@ struct {
|
|
|
|
|
const char *msg;
|
|
|
|
|
uint8_t de;
|
|
|
|
|
} htp_errors[] = {
|
|
|
|
|
{ "GZip decompressor: inflateInit2 failed", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "Request field invalid: colon missing", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON },
|
|
|
|
|
{ "Response field invalid: missing colon", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON },
|
|
|
|
|
{ "Request chunk encoding: Invalid chunk length",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN },
|
|
|
|
|
{ "Response chunk encoding: Invalid chunk length",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN },
|
|
|
|
|
{ "GZip decompressor: inflateInit2 failed", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "Request field invalid: colon missing", HTP_LOG_CODE_REQUEST_FIELD_MISSING_COLON },
|
|
|
|
|
{ "Response field invalid: missing colon", HTP_LOG_CODE_RESPONSE_FIELD_MISSING_COLON },
|
|
|
|
|
{ "Request chunk encoding: Invalid chunk length", HTP_LOG_CODE_INVALID_REQUEST_CHUNK_LEN },
|
|
|
|
|
{ "Response chunk encoding: Invalid chunk length", HTP_LOG_CODE_INVALID_RESPONSE_CHUNK_LEN },
|
|
|
|
|
/* { "Invalid T-E value in request",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST}, <- tx flag
|
|
|
|
|
HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST}, <- tx flag
|
|
|
|
|
HTP_FLAGS_REQUEST_INVALID_T_E { "Invalid T-E value in response",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE}, <- nothing to replace it */
|
|
|
|
|
HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE}, <- nothing to replace it */
|
|
|
|
|
/* { "Invalid C-L field in request",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST}, <- tx flag
|
|
|
|
|
HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST}, <- tx flag
|
|
|
|
|
HTP_FLAGS_REQUEST_INVALID_C_L */
|
|
|
|
|
{ "Invalid C-L field in response",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "Already seen 100-Continue", HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN },
|
|
|
|
|
{ "Unable to match response to request",
|
|
|
|
|
HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST },
|
|
|
|
|
{ "Invalid server port information in request",
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST },
|
|
|
|
|
/* { "Invalid authority port", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT}, htp no longer
|
|
|
|
|
{ "Invalid C-L field in response", HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "Already seen 100-Continue", HTP_LOG_CODE_CONTINUE_ALREADY_SEEN },
|
|
|
|
|
{ "Unable to match response to request", HTP_LOG_CODE_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST },
|
|
|
|
|
{ "Invalid server port information in request", HTP_LOG_CODE_INVALID_SERVER_PORT_IN_REQUEST },
|
|
|
|
|
/* { "Invalid authority port", HTP_LOG_CODE_INVALID_AUTHORITY_PORT}, htp no longer
|
|
|
|
|
returns this error */
|
|
|
|
|
{ "Request buffer over", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG },
|
|
|
|
|
{ "Response buffer over", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG },
|
|
|
|
|
{ "Request buffer over", HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG },
|
|
|
|
|
{ "Response buffer over", HTP_LOG_CODE_RESPONSE_FIELD_TOO_LONG },
|
|
|
|
|
{ "C-T multipart/byteranges in responses not supported",
|
|
|
|
|
HTTP_DECODER_EVENT_RESPONSE_MULTIPART_BYTERANGES },
|
|
|
|
|
{ "Compression bomb:", HTTP_DECODER_EVENT_COMPRESSION_BOMB },
|
|
|
|
|
HTP_LOG_CODE_RESPONSE_MULTIPART_BYTERANGES },
|
|
|
|
|
{ "Compression bomb:", HTP_LOG_CODE_COMPRESSION_BOMB },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct {
|
|
|
|
|
const char *msg;
|
|
|
|
|
uint8_t de;
|
|
|
|
|
} htp_warnings[] = {
|
|
|
|
|
{ "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID },
|
|
|
|
|
{ "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID },
|
|
|
|
|
{ "GZip decompressor:", HTP_LOG_CODE_GZIP_DECOMPRESSION_FAILED },
|
|
|
|
|
{ "Request field invalid", HTP_LOG_CODE_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "Response field invalid", HTP_LOG_CODE_RESPONSE_HEADER_INVALID },
|
|
|
|
|
{ "Request header name is not a token", HTP_LOG_CODE_REQUEST_HEADER_INVALID },
|
|
|
|
|
{ "Response header name is not a token", HTP_LOG_CODE_RESPONSE_HEADER_INVALID },
|
|
|
|
|
/* { "Host information in request headers required by HTTP/1.1",
|
|
|
|
|
HTTP_DECODER_EVENT_MISSING_HOST_HEADER}, <- tx flag HTP_FLAGS_HOST_MISSING { "Host
|
|
|
|
|
information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, <- tx flag
|
|
|
|
|
HTP_LOG_CODE_MISSING_HOST_HEADER}, <- tx flag HTP_FLAGS_HOST_MISSING { "Host
|
|
|
|
|
information ambiguous", HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS}, <- tx flag
|
|
|
|
|
HTP_FLAGS_HOST_AMBIGUOUS */
|
|
|
|
|
{ "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING },
|
|
|
|
|
{ "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING },
|
|
|
|
|
{ "Invalid request field folding", HTP_LOG_CODE_INVALID_REQUEST_FIELD_FOLDING },
|
|
|
|
|
{ "Invalid response field folding", HTP_LOG_CODE_INVALID_RESPONSE_FIELD_FOLDING },
|
|
|
|
|
/* line is now: htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request server port=%d number
|
|
|
|
|
* differs from the actual TCP port=%d", port, connp->conn->server_port); luckily, "Request
|
|
|
|
|
* server port=" is unique */
|
|
|
|
|
/* { "Request server port number differs from the actual TCP port",
|
|
|
|
|
HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
|
|
|
|
|
{ "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH },
|
|
|
|
|
{ "Request line: URI contains non-compliant delimiter",
|
|
|
|
|
HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT },
|
|
|
|
|
HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
|
|
|
|
|
{ "Request server port=", HTP_LOG_CODE_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH },
|
|
|
|
|
{ "Request line: URI contains non-compliant delimiter", HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "Request line: non-compliant delimiter between Method and URI",
|
|
|
|
|
HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "Request line: leading whitespace", HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE },
|
|
|
|
|
{ "Too many response content encoding layers", HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS },
|
|
|
|
|
{ "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION },
|
|
|
|
|
{ "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION },
|
|
|
|
|
HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT },
|
|
|
|
|
{ "Request line: leading whitespace", HTP_LOG_CODE_REQUEST_LINE_LEADING_WHITESPACE },
|
|
|
|
|
{ "Too many response content encoding layers", HTP_LOG_CODE_TOO_MANY_ENCODING_LAYERS },
|
|
|
|
|
{ "C-E gzip has abnormal value", HTP_LOG_CODE_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "C-E deflate has abnormal value", HTP_LOG_CODE_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "C-E unknown setting", HTP_LOG_CODE_ABNORMAL_CE_HEADER },
|
|
|
|
|
{ "Excessive request header repetitions", HTP_LOG_CODE_REQUEST_HEADER_REPETITION },
|
|
|
|
|
{ "Excessive response header repetitions", HTP_LOG_CODE_RESPONSE_HEADER_REPETITION },
|
|
|
|
|
{ "Transfer-encoding has abnormal chunked value",
|
|
|
|
|
HTTP_DECODER_EVENT_RESPONSE_ABNORMAL_TRANSFER_ENCODING },
|
|
|
|
|
HTP_LOG_CODE_RESPONSE_ABNORMAL_TRANSFER_ENCODING },
|
|
|
|
|
{ "Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0",
|
|
|
|
|
HTTP_DECODER_EVENT_RESPONSE_CHUNKED_OLD_PROTO },
|
|
|
|
|
{ "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL },
|
|
|
|
|
{ "Invalid response line: invalid response status",
|
|
|
|
|
HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS },
|
|
|
|
|
{ "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE },
|
|
|
|
|
{ "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED },
|
|
|
|
|
{ "LZMA decompressor: memory limit reached", HTTP_DECODER_EVENT_LZMA_MEMLIMIT_REACHED },
|
|
|
|
|
{ "Ambiguous request C-L value", HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
{ "Ambiguous response C-L value",
|
|
|
|
|
HTTP_DECODER_EVENT_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
HTP_LOG_CODE_RESPONSE_CHUNKED_OLD_PROTO },
|
|
|
|
|
{ "Invalid response line: invalid protocol", HTP_LOG_CODE_RESPONSE_INVALID_PROTOCOL },
|
|
|
|
|
{ "Invalid response line: invalid response status", HTP_LOG_CODE_RESPONSE_INVALID_STATUS },
|
|
|
|
|
{ "Request line incomplete", HTP_LOG_CODE_REQUEST_LINE_INCOMPLETE },
|
|
|
|
|
{ "Unexpected request body", HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED },
|
|
|
|
|
{ "LZMA decompressor: memory limit reached", HTP_LOG_CODE_LZMA_MEMLIMIT_REACHED },
|
|
|
|
|
{ "Ambiguous request C-L value", HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_REQUEST },
|
|
|
|
|
{ "Ambiguous response C-L value", HTP_LOG_CODE_DUPLICATE_CONTENT_LENGTH_FIELD_IN_RESPONSE },
|
|
|
|
|
{ "Request chunk extension", HTTP_DECODER_EVENT_REQUEST_CHUNK_EXTENSION },
|
|
|
|
|
{ "Request line: missing protocol", HTTP_DECODER_EVENT_REQUEST_LINE_MISSING_PROTOCOL },
|
|
|
|
|
{ "Too many request headers", HTTP_DECODER_EVENT_REQUEST_TOO_MANY_HEADERS },
|
|
|
|
|
@ -740,7 +729,7 @@ static void HTPHandleError(HtpState *s, const uint8_t dir)
|
|
|
|
|
if (id == 0) {
|
|
|
|
|
id = HTPHandleWarningGetId(log->msg);
|
|
|
|
|
if (id == 0)
|
|
|
|
|
id = HTTP_DECODER_EVENT_UNKNOWN_ERROR;
|
|
|
|
|
id = HTP_LOG_CODE_UNKNOWN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (id > 0) {
|
|
|
|
|
@ -765,29 +754,24 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, const htp_tx_t *tx)
|
|
|
|
|
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_REQUEST_INVALID_T_E)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST);
|
|
|
|
|
HTP_LOG_CODE_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST);
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_REQUEST_INVALID_C_L)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST);
|
|
|
|
|
HTPSetEvent(
|
|
|
|
|
s, htud, STREAM_TOSERVER, HTP_LOG_CODE_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST);
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_HOST_MISSING)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_MISSING_HOST_HEADER);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_MISSING_HOST_HEADER);
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_HOST_AMBIGUOUS)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_HOST_HEADER_AMBIGUOUS);
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_HOSTU_INVALID)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_URI_HOST_INVALID);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_URI_HOST_INVALID);
|
|
|
|
|
if (htp_tx_flags(tx) & HTP_FLAGS_HOSTH_INVALID)
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_HEADER_HOST_INVALID);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_HEADER_HOST_INVALID);
|
|
|
|
|
}
|
|
|
|
|
if (htp_tx_request_auth_type(tx) == HTP_AUTH_TYPE_UNRECOGNIZED) {
|
|
|
|
|
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
|
|
|
|
|
if (htud == NULL)
|
|
|
|
|
return;
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_AUTH_UNRECOGNIZED);
|
|
|
|
|
}
|
|
|
|
|
if (htp_tx_is_protocol_0_9(tx) && htp_tx_request_method_number(tx) == HTP_METHOD_UNKNOWN &&
|
|
|
|
|
(htp_tx_request_protocol_number(tx) == HTP_PROTOCOL_INVALID ||
|
|
|
|
|
@ -795,8 +779,7 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, const htp_tx_t *tx)
|
|
|
|
|
HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
|
|
|
|
|
if (htud == NULL)
|
|
|
|
|
return;
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_REQUEST_LINE_INVALID);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_BODY_UNEXPECTED);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -1309,7 +1292,7 @@ static int HtpRequestBodyHandlePOSTorPUT(HtpState *hstate, HtpTxUserData *htud,
|
|
|
|
|
if (filename_len > SC_FILENAME_MAX) {
|
|
|
|
|
// explicitly truncate the file name if too long
|
|
|
|
|
filename_len = SC_FILENAME_MAX;
|
|
|
|
|
HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG);
|
|
|
|
|
HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_LINE_INVALID);
|
|
|
|
|
}
|
|
|
|
|
result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len,
|
|
|
|
|
STREAM_TOSERVER);
|
|
|
|
|
@ -1385,7 +1368,7 @@ static int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud, const ht
|
|
|
|
|
if (filename_len > SC_FILENAME_MAX) {
|
|
|
|
|
// explicitly truncate the file name if too long
|
|
|
|
|
filename_len = SC_FILENAME_MAX;
|
|
|
|
|
HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG);
|
|
|
|
|
HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTP_LOG_CODE_REQUEST_LINE_INVALID);
|
|
|
|
|
}
|
|
|
|
|
if (h_content_range != NULL) {
|
|
|
|
|
result = HTPFileOpenWithRange(hstate, htud, filename, (uint16_t)filename_len, data,
|
|
|
|
|
@ -1988,8 +1971,7 @@ static int HTPCallbackDoubleDecodeUriPart(htp_tx_t *tx, bstr *part)
|
|
|
|
|
HtpState *s = htp_connp_get_user_data(tx->connp);
|
|
|
|
|
if (s == NULL)
|
|
|
|
|
return HTP_STATUS_OK;
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER,
|
|
|
|
|
HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI);
|
|
|
|
|
HTPSetEvent(s, htud, STREAM_TOSERVER, HTP_LOG_CODE_DOUBLE_ENCODED_URI);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return HTP_STATUS_OK;
|
|
|
|
|
@ -5098,7 +5080,7 @@ libhtp:\n\
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \test Test really long request, this should result in HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG */
|
|
|
|
|
/** \test Test really long request, this should result in HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG */
|
|
|
|
|
static int HTPParserTest14(void)
|
|
|
|
|
{
|
|
|
|
|
size_t len = 18887;
|
|
|
|
|
@ -5180,7 +5162,7 @@ libhtp:\n\
|
|
|
|
|
AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP1, txtmp);
|
|
|
|
|
FAIL_IF_NULL(decoder_events);
|
|
|
|
|
|
|
|
|
|
FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG);
|
|
|
|
|
FAIL_IF(decoder_events->events[0] != HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG);
|
|
|
|
|
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
StreamTcpFreeConfig(true);
|
|
|
|
|
@ -5292,7 +5274,7 @@ libhtp:\n\
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \test Test unusual delims in request line HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG */
|
|
|
|
|
/** \test Test unusual delims in request line HTP_LOG_CODE_REQUEST_FIELD_TOO_LONG */
|
|
|
|
|
static int HTPParserTest16(void)
|
|
|
|
|
{
|
|
|
|
|
Flow *f = NULL;
|
|
|
|
|
@ -5340,8 +5322,8 @@ static int HTPParserTest16(void)
|
|
|
|
|
AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP1, txtmp);
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NULL(decoder_events);
|
|
|
|
|
FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_METHOD_DELIM_NON_COMPLIANT);
|
|
|
|
|
FAIL_IF(decoder_events->events[1] != HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT);
|
|
|
|
|
FAIL_IF(decoder_events->events[0] != HTP_LOG_CODE_METHOD_DELIM_NON_COMPLIANT);
|
|
|
|
|
FAIL_IF(decoder_events->events[1] != HTP_LOG_CODE_URI_DELIM_NON_COMPLIANT);
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
Philippe Antoine
1 year ago
committed by
Victor Julien