http: new event for auth unrecognized

activates libhtp auth parsing Fixes #984
7 years ago · a1c6e091ac
parent 7d6875fb68
commit a1c6e091ac
3 changed files with 13 additions and 2 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -52,5 +52,7 @@ alert http any any -> any any (msg:"SURICATA HTTP Request line with leading whit
 alert http any any -> any any (msg:"SURICATA HTTP Request too many encoding layers"; flow:established,to_server; app-layer-event:http.too_many_encoding_layers; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221032; rev:1;)
 alert http any any -> any any (msg:"SURICATA HTTP Request abnormal Content-Encoding header"; flow:established,to_server; app-layer-event:http.abnormal_ce_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221033; rev:1;)

-# next sid 2221034
+alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;)
+
+# next sid 2221035

--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -144,6 +144,8 @@ SCEnumCharMap http_decoder_event_table[ ] = {
        HTTP_DECODER_EVENT_URI_HOST_INVALID},
    { "REQUEST_HEADER_HOST_INVALID",
        HTTP_DECODER_EVENT_HEADER_HOST_INVALID},
+    { "REQUEST_AUTH_UNRECOGNIZED",
+        HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED},
    { "URI_DELIM_NON_COMPLIANT",
        HTTP_DECODER_EVENT_URI_DELIM_NON_COMPLIANT},
    { "METHOD_DELIM_NON_COMPLIANT",
@ -641,6 +643,13 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
            HTPSetEvent(s, htud,
                    HTTP_DECODER_EVENT_HEADER_HOST_INVALID);
    }
+    if (tx->request_auth_type == HTP_AUTH_UNRECOGNIZED) {
+        HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
+        if (htud == NULL)
+            return;
+
+        HTPSetEvent(s, htud, HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED);
+    }
 }

 static int Setup(Flow *f, HtpState *hstate)
@ -2255,7 +2264,6 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec)
    htp_config_register_response_complete(cfg_prec->cfg, HTPCallbackResponse);

    htp_config_set_parse_request_cookies(cfg_prec->cfg, 0);
-    htp_config_set_parse_request_auth(cfg_prec->cfg, 0);

    /* don't convert + to space by default */
    htp_config_set_plusspace_decode(cfg_prec->cfg, HTP_DECODER_URLENCODED, 0);
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -106,6 +106,7 @@ enum {
    HTTP_DECODER_EVENT_REQUEST_LINE_LEADING_WHITESPACE,
    HTTP_DECODER_EVENT_TOO_MANY_ENCODING_LAYERS,
    HTTP_DECODER_EVENT_ABNORMAL_CE_HEADER,
+    HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED,

    /* suricata errors/warnings */
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,