diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 36c92ed6e6..7d249fc9e9 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1209,7 +1209,14 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) const char* end_of_method = get_HTTP_token(line, end_of_line); if ( end_of_method == line ) + { + // something went wrong with get_HTTP_token + // perform a weak test to see if the string "HTTP/" + // is found at the end of the RequestLine + if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 ) + goto evasion; goto error; + } rest = skip_whitespace(end_of_method, end_of_line); @@ -1230,6 +1237,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) return 1; +evasion: + reporter->Weird(Conn(), "possible_evasion_attempt"); + return 0; + error: reporter->Weird(Conn(), "bad_HTTP_request"); return 0; diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log new file mode 100644 index 0000000000..91f26e75e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2016-02-05-13-13-06 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] +1452204358.910557 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 1 - - - - 1.1 - 0 14 200 OK - - - (empty) - - - - - FGec0Miu9FfcsYUT4 text/plain +#close 2016-02-05-13-13-06 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log new file mode 100644 index 0000000000..6b1cd809eb --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2016-02-05-13-13-06 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1452204358.172926 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 possible_evasion_attempt - F bro +#close 2016-02-05-13-13-06 diff --git a/testing/btest/Traces/http/http-evasion.trace b/testing/btest/Traces/http/http-evasion.trace new file mode 100644 index 0000000000..6503d1b366 Binary files /dev/null and b/testing/btest/Traces/http/http-evasion.trace differ diff --git a/testing/btest/scripts/base/protocols/http/http-evasion.bro b/testing/btest/scripts/base/protocols/http/http-evasion.bro new file mode 100644 index 0000000000..55e296a96d --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/http-evasion.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff weird.log +