http: adds event for header repetition

6 years ago · b6b7778e2d
parent 9d8eb7b5f0
commit b6b7778e2d
3 changed files with 12 additions and 1 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -54,5 +54,8 @@ alert http any any -> any any (msg:"SURICATA HTTP Request abnormal Content-Encod

 alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;)

-# next sid 2221035
+alert http any any -> any any (msg:"SURICATA HTTP Request excessive header repetition"; flow:established,to_server; app-layer-event:http.request_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221035; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP Response excessive header repetition"; flow:established,to_client; app-layer-event:http.response_header_repetition; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221036; rev:1;)
+
+# next sid 2221037

--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -146,6 +146,10 @@ SCEnumCharMap http_decoder_event_table[ ] = {
        HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
    { "REQUEST_AUTH_UNRECOGNIZED",
        HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED},
+    { "REQUEST_HEADER_REPETITION",
+        HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION},
+    { "RESPONSE_HEADER_REPETITION",
+        HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION},
    { "URI_DELIM_NON_COMPLIANT",
        HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
    { "METHOD_DELIM_NON_COMPLIANT",
@ -513,6 +517,8 @@ struct {
    { "C-E gzip has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
    { "C-E deflate has abnormal value", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
    { "C-E unknown setting", HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER},
+    { "Excessive request header repetitions", HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION},
+    { "Excessive response header repetitions", HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION},
 };

 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -107,6 +107,8 @@ enum {
    HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS,
    HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER,
    HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED,
+    HTTP_DECODER_EVENT_REQUEST_HEADER_REPETITION,
+    HTTP_DECODER_EVENT_RESPONSE_HEADER_REPETITION,

    /* suricata errors/warnings */
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,