http: add new events for invalid host header and host part of uri

rules/http-events.rules

@@ -37,5 +37,10 @@ alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:e
 alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;)
 # Warn when the port in the Host: header doesn't match the actual TCP Server port.
 alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;)
-# next sid 2221026
+# Host part of URI is invalid
+alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;)
+# Host header is invalid
+alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;)
+
+# next sid 2221029
 

src/app-layer-htp.c

@@ -139,6 +139,11 @@ SCEnumCharMap http_decoder_event_table[ ] = {
         HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
     { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH",
         HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
+    { "REQUEST_URI_HOST_INVALID",
+        HTTP_DECODER_EVENT_URI_HOST_INVALID},
+    { "REQUEST_HEADER_HOST_INVALID",
+        HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+
     /* suricata warnings/errors */
     { "MULTIPART_GENERIC_ERROR",
         HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR},
@@ -564,7 +569,8 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
     BUG_ON(s == NULL || tx == NULL);
 #endif
     if (tx->flags & (   HTP_REQUEST_INVALID_T_E|HTP_REQUEST_INVALID_C_L|
-                        HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS))
+                        HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS|HTP_HOSTU_INVALID|
+                        HTP_HOSTH_INVALID))
     {
         if (tx->flags & HTP_REQUEST_INVALID_T_E)
             AppLayerDecoderEventsSetEvent(s->f,
@@ -578,6 +584,12 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
         if (tx->flags & HTP_HOST_AMBIGUOUS)
             AppLayerDecoderEventsSetEvent(s->f,
                     HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS);
+        if (tx->flags & HTP_HOSTU_INVALID)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_URI_HOST_INVALID);
+        if (tx->flags & HTP_HOSTH_INVALID)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_HEADER_HOST_INVALID);
     }
 }
 

src/app-layer-htp.h

@@ -113,6 +113,8 @@ enum {
     HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG,
     HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG,
     HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH,
+    HTTP_DECODER_EVENT_URI_HOST_INVALID,
+    HTTP_DECODER_EVENT_HEADER_HOST_INVALID,
 
     /* suricata errors/warnings */
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,