From cb150003879edc0128f1902db903c5466f86a733 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 1 Oct 2013 14:08:36 +0200 Subject: [PATCH] http: add new events for invalid host header and host part of uri --- rules/http-events.rules | 7 ++++++- src/app-layer-htp.c | 14 +++++++++++++- src/app-layer-htp.h | 2 ++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/rules/http-events.rules b/rules/http-events.rules index e17641857f..d5bb0f19a7 100644 --- a/rules/http-events.rules +++ b/rules/http-events.rules @@ -37,5 +37,10 @@ alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:e alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;) # Warn when the port in the Host: header doesn't match the actual TCP Server port. alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;) -# next sid 2221026 +# Host part of URI is invalid +alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;) +# Host header is invalid +alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;) + +# next sid 2221029 diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index f1d728c1aa..8f80b61226 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -139,6 +139,11 @@ SCEnumCharMap http_decoder_event_table[ ] = { HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG}, { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, + { "REQUEST_URI_HOST_INVALID", + HTTP_DECODER_EVENT_URI_HOST_INVALID}, + { "REQUEST_HEADER_HOST_INVALID", + HTTP_DECODER_EVENT_HEADER_HOST_INVALID}, + /* suricata warnings/errors */ { "MULTIPART_GENERIC_ERROR", HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR}, @@ -564,7 +569,8 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx) BUG_ON(s == NULL || tx == NULL); #endif if (tx->flags & ( HTP_REQUEST_INVALID_T_E|HTP_REQUEST_INVALID_C_L| - HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS)) + HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS|HTP_HOSTU_INVALID| + HTP_HOSTH_INVALID)) { if (tx->flags & HTP_REQUEST_INVALID_T_E) AppLayerDecoderEventsSetEvent(s->f, @@ -578,6 +584,12 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx) if (tx->flags & HTP_HOST_AMBIGUOUS) AppLayerDecoderEventsSetEvent(s->f, HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS); + if (tx->flags & HTP_HOSTU_INVALID) + AppLayerDecoderEventsSetEvent(s->f, + HTTP_DECODER_EVENT_URI_HOST_INVALID); + if (tx->flags & HTP_HOSTH_INVALID) + AppLayerDecoderEventsSetEvent(s->f, + HTTP_DECODER_EVENT_HEADER_HOST_INVALID); } } diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index 126e98d247..7785bf01c9 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -113,6 +113,8 @@ enum { HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG, HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG, HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH, + HTTP_DECODER_EVENT_URI_HOST_INVALID, + HTTP_DECODER_EVENT_HEADER_HOST_INVALID, /* suricata errors/warnings */ HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,