http: add event for libhtp detection of request port not matching tcp port.

12 years ago · 9f519e95a2
parent 3ab1458abf
commit 9f519e95a2
3 changed files with 7 additions and 2 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -35,5 +35,7 @@ alert http any any -> any any (msg:"SURICATA HTTP multipart generic error"; flow
 alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:established,to_server; app-layer-event:http.multipart_no_filedata; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023; rev:1;)
 # Multipart header invalid.
 alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;)
-# next sid 2221025
+# Warn when the port in the Host: header doesn't match the actual TCP Server port.
+alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;)
+# next sid 2221026

--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -130,7 +130,8 @@ SCEnumCharMap http_decoder_event_table[ ] = {
        HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG},
    { "RESPONSE_FIELD_TOO_LONG",
        HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
-
+    { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH",
+        HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
    /* suricata warnings/errors */
    { "MULTIPART_GENERIC_ERROR",
        HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR},
@ -419,6 +420,7 @@ struct {
    { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS},
    { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING},
    { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING},
+    { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
 };

 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -112,6 +112,7 @@ enum {
    HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING,
    HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG,
    HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG,
+    HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH,

    /* suricata errors/warnings */
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,