http2: event on mismatch between authority and host

Ticket: #6425
1 year ago · 46a46e5b1f
parent ae72ce77fa
commit 46a46e5b1f
2 changed files with 18 additions and 0 deletions
--- a/rules/http2-events.rules
+++ b/rules/http2-events.rules
@ -18,3 +18,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 failed decompression"; flow:
 alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow:established; app-layer-event:http2.invalid_range; classtype:protocol-command-decode; sid:2290010; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 variable-length integer overflow"; flow:established; app-layer-event:http2.header_integer_overflow; classtype:protocol-command-decode; sid:2290011; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:established; app-layer-event:http2.too_many_streams; classtype:protocol-command-decode; sid:2290012; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@ -203,9 +203,25 @@ impl HTTP2Transaction {
    }

    fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) {
+        let mut authority = None;
+        let mut host = None;
        for block in blocks {
            if block.name == b"content-encoding" {
                self.decoder.http2_encoding_fromvec(&block.value, dir);
+            } else if block.name.eq_ignore_ascii_case(b":authority") {
+                authority = Some(&block.value);
+            } else if block.name.eq_ignore_ascii_case(b"host") {
+                host = Some(&block.value);
+            }
+        }
+        if let Some(a) = authority {
+            if let Some(h) = host {
+                if !a.eq_ignore_ascii_case(h) {
+                    // The event is triggered only if both headers
+                    // are in the same frame to avoid excessive
+                    // complexity at runtime.
+                    self.set_event(HTTP2Event::AuthorityHostMismatch);
+                }
            }
        }
    }
@ -383,6 +399,7 @@ pub enum HTTP2Event {
    InvalidRange,
    HeaderIntegerOverflow,
    TooManyStreams,
+    AuthorityHostMismatch,
 }

 pub struct HTTP2DynTable {