Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix HTTP evasion

Browse source 
- Happen when there is no CRLF at the end of HTTP
    - Fix by adding CRLF when packet is complete (in relation to content-length in header)
This commit is contained in:
jerome Grandvalet 2021-07-23 09:28:29 +02:00
parent 9383c926ad
commit 8cabecec40
8 changed files with 74 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/analyzer/protocol/tcp/ContentLine.cc
View file

@ -31,6 +31,7 @@ void ContentLine_Analyzer::InitState()
seq = 0;
seq_to_skip = 0;
plain_delivery_length = 0;
delivery_length = -1;
is_plain = false;
suppress_weirds = false;
@ -91,8 +92,19 @@ void ContentLine_Analyzer::DeliverStream(int len, const u_char* data,
return;
}
if ( delivery_length > 0 )
delivery_length -= len;
DoDeliver(len, data);
// If we have parsed all the data of the packet but there is no CRLF at the end
// Force the process by flushing buffer
if ( delivery_length == 0 && HasPartialLine() )
{
Weird("No CRLF at the end of the packet");
DoDeliver(2, (const u_char*) "\r\n");
}
seq += len;
}
@ -119,6 +131,19 @@ void ContentLine_Analyzer::SetPlainDelivery(int64_t length)
plain_delivery_length = length;
}
void ContentLine_Analyzer::SetDeliverySize(int64_t length)
{
// Length can be unset with -1 value, all other negative length will be rejected
if ( length < -1 )
{
reporter->AnalyzerError(
this, "negative length for delivery size");
return;
}
delivery_length = length;
}
void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
{
seq_delivered_in_lines = seq;