aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

app-layer-htp: add swf decompression settings

Browse Source 
This adds some settings needed to do swf file decompression
under libhtp section in suricata.yaml
pull/3209/head
Giuseppe Longo 8 years ago committed by Victor Julien
parent b60065caec
commit d0f92e2a56
3 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File

46
src/app-layer-htp.c
Unescape Escape View File

@ -2492,6 +2492,52 @@ static void HTPConfigParseParameters(HTPCfgRec *cfg_prec, ConfNode *s,
cfg_prec->http_body_inline = 0;
}
}
} else if (strcasecmp("swf-decompression", p->name) == 0) {
ConfNode *pval;
TAILQ_FOREACH(pval, &p->head, next) {
if (strcasecmp("enabled", pval->name) == 0) {
if (ConfValIsTrue(pval->val)) {
cfg_prec->swf_decompression_enabled = 1;
} else if (ConfValIsFalse(pval->val)) {
cfg_prec->swf_decompression_enabled = 0;
} else {
WarnInvalidConfEntry("swf-decompression.enabled", "%s", "no");
}
} else if (strcasecmp("type", pval->name) == 0) {
if (strcasecmp("no", pval->val) == 0) {
cfg_prec->swf_compression_type = HTTP_SWF_COMPRESSION_NONE;
} else if (strcasecmp("deflate", pval->val) == 0) {
cfg_prec->swf_compression_type = HTTP_SWF_COMPRESSION_ZLIB;
} else if (strcasecmp("lzma", pval->val) == 0) {
cfg_prec->swf_compression_type = HTTP_SWF_COMPRESSION_LZMA;
} else if (strcasecmp("both", pval->val) == 0) {
cfg_prec->swf_compression_type = HTTP_SWF_COMPRESSION_BOTH;
} else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
"Invalid entry for "
"swf-decompression.type: %s - "
"Killing engine", pval->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("compress-depth", pval->name) == 0) {
if (ParseSizeStringU32(pval->val, &cfg_prec->swf_compress_depth) < 0) {
SCLogError(SC_ERR_SIZE_PARSE,
"Error parsing swf-decompression.compression-depth "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else if (strcasecmp("decompress-depth", pval->name) == 0) {
if (ParseSizeStringU32(pval->val, &cfg_prec->swf_decompress_depth) < 0) {
SCLogError(SC_ERR_SIZE_PARSE,
"Error parsing swf-decompression.decompression-depth "
"from conf file - %s. Killing engine", p->val);
exit(EXIT_FAILURE);
}
} else {
SCLogWarning(SC_ERR_UNKNOWN_VALUE, "Ignoring unknown param %s", pval->name);
}
}
} else {
SCLogWarning(SC_ERR_UNKNOWN_VALUE, "LIBHTP Ignoring unknown "
"default config: %s", p->name);

12
src/app-layer-htp.h
Unescape Escape View File

@ -111,6 +111,13 @@ enum {
HTTP_DECODER_EVENT_MULTIPART_INVALID_HEADER,
};
typedef enum HtpSwfCompressType_ {
HTTP_SWF_COMPRESSION_NONE = 0,
HTTP_SWF_COMPRESSION_ZLIB,
HTTP_SWF_COMPRESSION_LZMA,
HTTP_SWF_COMPRESSION_BOTH,
} HtpSwfCompressType;
typedef struct HTPCfgDir_ {
uint32_t body_limit;
uint32_t inspect_min_size;
@ -130,6 +137,11 @@ typedef struct HTPCfgRec_ {
int randomize_range;
int http_body_inline;
int swf_decompression_enabled;
HtpSwfCompressType swf_compression_type;
uint32_t swf_decompress_depth;
uint32_t swf_compress_depth;
HTPCfgDir request;
HTPCfgDir response;
} HTPCfgRec;

14
suricata.yaml.in
Unescape Escape View File

@ -890,6 +890,20 @@ app-layer:
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Decompress SWF files.
# 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
# set 0 for unlimited.
# decompress-depth:
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
enabled: yes
type: both
compress-depth: 0
decompress-depth: 0
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.

Write Preview
Loading…
Cancel
Save