New app layer event for invalid http request line

Handles logs from libhtp even if case of error
7 years ago · b5f3e03209
parent 4a74e9edcc
commit b5f3e03209
3 changed files with 18 additions and 2 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -71,5 +71,7 @@ alert http any any -> any any (msg:"SURICATA HTTP Request line incomplete"; flow

 alert http any any -> any any (msg:"SURICATA HTTP Request double encoded URI"; flow:established,to_server; app-layer-event:http.double_encoded_uri; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221043; rev:1;)

-# next sid 2221044
+alert http any any -> any any (msg:"SURICATA HTTP Invalid Request line"; flow:established,to_server; app-layer-event:http.request_line_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221044; rev:1;)
+alert http any any -> any any (msg:"SURICATA HTTP Unexpected Request body"; flow:established,to_server; app-layer-event:http.request_body_unexpected; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221045; rev:1;)

+# next sid 2221046
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -138,6 +138,10 @@ SCEnumCharMap http_decoder_event_table[ ] = {
        HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG},
    { "RESPONSE_FIELD_TOO_LONG",
        HTTP_DECODER_EVENT_RESPONSE_FIELD_TOO_LONG},
+    { "REQUEST_LINE_INVALID",
+        HTTP_DECODER_EVENT_REQUEST_LINE_INVALID},
+    { "REQUEST_BODY_UNEXPECTED",
+        HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED},
    { "REQUEST_SERVER_PORT_TCP_PORT_MISMATCH",
        HTTP_DECODER_EVENT_REQUEST_SERVER_PORT_TCP_PORT_MISMATCH},
    { "REQUEST_URI_HOST_INVALID",
@ -539,6 +543,7 @@ struct {
    { "Invalid response line: invalid protocol", HTTP_DECODER_EVENT_RESPONSE_INVALID_PROTOCOL},
    { "Invalid response line: invalid response status", HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS},
    { "Request line incomplete", HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE},
+    { "Unexpected request body", HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED},
 };

 #define HTP_ERROR_MAX (sizeof(htp_errors) / sizeof(htp_errors[0]))
@ -673,9 +678,16 @@ static inline void HTPErrorCheckTxRequestFlags(HtpState *s, htp_tx_t *tx)
        HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
        if (htud == NULL)
            return;
-
        HTPSetEvent(s, htud, HTTP_DECODER_EVENT_AUTH_UNRECOGNIZED);
    }
+    if (tx->is_protocol_0_9 && tx->request_method_number == HTP_M_UNKNOWN &&
+        (tx->request_protocol_number == HTP_PROTOCOL_INVALID ||
+         tx->request_protocol_number == HTP_PROTOCOL_UNKNOWN)) {
+        HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
+        if (htud == NULL)
+            return;
+        HTPSetEvent(s, htud, HTTP_DECODER_EVENT_REQUEST_LINE_INVALID);
+    }
 }

 static int Setup(Flow *f, HtpState *hstate)
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -116,6 +116,8 @@ enum {
    HTTP_DECODER_EVENT_RESPONSE_INVALID_STATUS,
    HTTP_DECODER_EVENT_REQUEST_LINE_INCOMPLETE,
    HTTP_DECODER_EVENT_DOUBLE_ENCODED_URI,
+    HTTP_DECODER_EVENT_REQUEST_LINE_INVALID,
+    HTTP_DECODER_EVENT_REQUEST_BODY_UNEXPECTED,

    /* suricata errors/warnings */
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,