http: fix some decoder events

Some events we retrieved from error messages are flag now, so check those. Not all can be converted though. These are no longer set: HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT Part of Bug #982.
12 years ago · 43b39d333f
parent 85f13c4e28
commit 43b39d333f
1 changed files with 45 additions and 8 deletions
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -399,23 +399,24 @@ void AppLayerHtpNeedFileInspection(void)
    SCReturn;
 }

+/* below error messages updated up to libhtp 0.5.7 (git 379632278b38b9a792183694a4febb9e0dbd1e7a) */
 struct {
    char *msg;
    int  de;
 } htp_errors[] = {
    { "GZip decompressor: inflateInit2 failed", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED},
    { "Request field invalid: colon missing", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON},
-    { "Response field invalid: colon missing", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON},
+    { "Response field invalid: missing colon", HTTP_DECODER_EVENT_RESPONSE_FIELD_MISSING_COLON},
    { "Request chunk encoding: Invalid chunk length", HTTP_DECODER_EVENT_INVALID_REQUEST_CHUNK_LEN},
    { "Response chunk encoding: Invalid chunk length", HTTP_DECODER_EVENT_INVALID_RESPONSE_CHUNK_LEN},
-    { "Invalid T-E value in request", HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST},
-    { "Invalid T-E value in response", HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE},
-    { "Invalid C-L field in request", HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST},
+/*  { "Invalid T-E value in request", HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST}, <- tx flag HTP_REQUEST_INVALID_T_E
+    { "Invalid T-E value in response", HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_RESPONSE}, <- nothing to replace it */
+/*  { "Invalid C-L field in request", HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST}, <- tx flag HTP_REQUEST_INVALID_C_L */
    { "Invalid C-L field in response", HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_RESPONSE},
    { "Already seen 100-Continue", HTTP_DECODER_EVENT_100_CONTINUE_ALREADY_SEEN},
    { "Unable to match response to request", HTTP_DECODER_EVENT_UNABLE_TO_MATCH_RESPONSE_TO_REQUEST},
    { "Invalid server port information in request", HTTP_DECODER_EVENT_INVALID_SERVER_PORT_IN_REQUEST},
-    { "Invalid authority port", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT},
+/*    { "Invalid authority port", HTTP_DECODER_EVENT_INVALID_AUTHORITY_PORT}, htp no longer returns this error */
    { "Request buffer over", HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG},
    { "Response buffer over", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
 };
@ -429,11 +430,14 @@ struct {
    { "Response field invalid", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
    { "Request header name is not a token", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID},
    { "Response header name is not a token", HTTP_DECODER_EVENT_RESPONSE_HEADER_INVALID},
-    { "Host information in request headers required by HTTP/1.1", HTTP_DECODER_EVENT_MISSING_HOST_HEADER},
-    { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS},
+/*  { "Host information in request headers required by HTTP/1.1", HTTP_DECODER_EVENT_MISSING_HOST_HEADER}, <- tx flag HTP_HOST_MISSING
+    { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, <- tx flag HTP_HOST_AMBIGUOUS */
    { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING},
    { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING},
-    { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
+    /* line is now: htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Request server port=%d number differs from the actual TCP port=%d", port, connp->conn->server_port);
+     * luckily, "Request server port=" is unique */
+/*    { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, */
+    { "Request server port=", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
 };

 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
@ -554,6 +558,29 @@ static void HTPHandleWarning(HtpState *s) {
    }
 }

+static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
+{
+#ifdef DEBUG
+    BUG_ON(s == NULL || tx == NULL);
+#endif
+    if (tx->flags & (   HTP_REQUEST_INVALID_T_E|HTP_REQUEST_INVALID_C_L|
+                        HTP_HOST_MISSING|HTP_HOST_AMBIGUOUS))
+    {
+        if (tx->flags & HTP_REQUEST_INVALID_T_E)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_INVALID_TRANSFER_ENCODING_VALUE_IN_REQUEST);
+        if (tx->flags & HTP_REQUEST_INVALID_C_L)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_INVALID_CONTENT_LENGTH_FIELD_IN_REQUEST);
+        if (tx->flags & HTP_HOST_MISSING)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_MISSING_HOST_HEADER);
+        if (tx->flags & HTP_HOST_AMBIGUOUS)
+            AppLayerDecoderEventsSetEvent(s->f,
+                    HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS);
+    }
+}
+
 /**
 *  \brief  Function to handle the reassembled data from client and feed it to
 *          the HTP library to process it.
@ -1890,6 +1917,8 @@ static int HTPCallbackRequest(htp_tx_t *tx) {
    SCLogDebug("HTTP request completed");

    if (tx != NULL) {
+        HTPErrorCheckTxRequestFlags(hstate, tx);
+
        HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
        if (htud != NULL) {
            if (htud->tsflags & HTP_FILENAME_SET) {
@ -1961,6 +1990,10 @@ static int HTPCallbackRequestLine(htp_tx_t *tx)
    tx_ud->request_uri_normalized = request_uri_normalized;
    htp_tx_set_user_data(tx, tx_ud);

+    if (tx && tx->flags) {
+        HtpState *hstate = htp_connp_get_user_data(tx->connp);
+        HTPErrorCheckTxRequestFlags(hstate, tx);
+    }
    return HTP_OK;
 }

@ -2011,6 +2044,10 @@ static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
           tx_data->data, tx_data->len);
    tx_ud->request_headers_raw_len += tx_data->len;

+    if (tx_data->tx && tx_data->tx->flags) {
+        HtpState *hstate = htp_connp_get_user_data(tx_data->tx->connp);
+        HTPErrorCheckTxRequestFlags(hstate, tx_data->tx);
+    }
    return HTP_OK;
 }