From 9f519e95a275e478051c6f270caced2e93541acf Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 23 Nov 2012 10:56:22 +0100 Subject: [PATCH] http: add event for libhtp detection of request port not matching tcp port. --- rules/http-events.rules | 4 +++- src/app-layer-htp.c | 4 +++- src/app-layer-htp.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/http-events.rules b/rules/http-events.rules index e779b8fb50..0563ca17ad 100644 --- a/rules/http-events.rules +++ b/rules/http-events.rules @@ -35,5 +35,7 @@ alert http any any -> any any (msg:"SURICATA HTTP multipart generic error"; flow alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:established,to_server; app-layer-event:http.multipart_no_filedata; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023; rev:1;) # Multipart header invalid. alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;) -# next sid 2221025 +# Warn when the port in the Host: header doesn't match the actual TCP Server port. +alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;) +# next sid 2221026 diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index c8ed30417e..072b40cbe6 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -130,7 +130,8 @@ SCEnumCharMap http_decoder_event_table[ ] = { HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG}, { "RESPONSE_FIELD_TOO_LONG", HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG}, - + { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH", + HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, /* suricata warnings/errors */ { "MULTIPART_GENERIC_ERROR", HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR}, @@ -419,6 +420,7 @@ struct { { "Host information ambiguous", HTTP_DECODER_EVENT_HOST_HEADER_AMBIGUOUS}, { "Invalid request field folding", HTTP_DECODER_EVENT_INVALID_REQUEST_FIELD_FOLDING}, { "Invalid response field folding", HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING}, + { "Request server port number differs from the actual TCP port", HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH}, }; #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0])) diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h index 90471e4b73..b4e2c7b6e0 100644 --- a/src/app-layer-htp.h +++ b/src/app-layer-htp.h @@ -112,6 +112,7 @@ enum { HTTP_DECODER_EVENT_INVALID_RESPONSE_FIELD_FOLDING, HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG, HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG, + HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH, /* suricata errors/warnings */ HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,