From 93f52fcdd24fba39ee8abcc0a79dec4701fca02d Mon Sep 17 00:00:00 2001
From: wglodek <wglodek@breakpoint-labs.com>
Date: Sun, 7 Feb 2016 11:22:09 -0500
Subject: [PATCH] detect possible HTTP evasion attempts

---
 src/analyzer/protocol/http/HTTP.cc               |  11 +++++++++++
 .../http.log                                     |  10 ++++++++++
 .../weird.log                                    |  10 ++++++++++
 testing/btest/Traces/http/http-evasion.trace     | Bin 0 -> 1188 bytes
 .../scripts/base/protocols/http/http-evasion.bro |   4 ++++
 5 files changed, 35 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log
 create mode 100644 testing/btest/Traces/http/http-evasion.trace
 create mode 100644 testing/btest/scripts/base/protocols/http/http-evasion.bro

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 36c92ed6e6..7d249fc9e9 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1209,7 +1209,14 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	const char* end_of_method = get_HTTP_token(line, end_of_line);
 
 	if ( end_of_method == line )
+        {
+            // something went wrong with get_HTTP_token
+            // perform a weak test to see if the string "HTTP/"
+            // is found at the end of the RequestLine
+            if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
+                goto evasion;
 		goto error;
+        }
 
 	rest = skip_whitespace(end_of_method, end_of_line);
 
@@ -1230,6 +1237,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 
 	return 1;
 
+evasion:
+    reporter->Weird(Conn(), "possible_evasion_attempt");
+    return 0;
+
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log
new file mode 100644
index 0000000000..91f26e75e7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1452204358.910557	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	1	-	-	-	-	1.1	-	0	14	200	OK	-	-	-	(empty)	-	-	-	-	-	FGec0Miu9FfcsYUT4	text/plain
+#close	2016-02-05-13-13-06
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log
new file mode 100644
index 0000000000..6b1cd809eb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	possible_evasion_attempt	-	F	bro
+#close	2016-02-05-13-13-06
diff --git a/testing/btest/Traces/http/http-evasion.trace b/testing/btest/Traces/http/http-evasion.trace
new file mode 100644
index 0000000000000000000000000000000000000000..6503d1b36639d39fd5fdf9339014ba30fb02659a
GIT binary patch
literal 1188
zcmaKq&1(}u7{=e(c57HzX*|_~FnFrav`N~ebxE3<q$cU-LRUR`Sk`T_knEQ1#za90
z7Q}*h62yx|ym)Q#4`}JBdMbL8LKQ#opm-8{itkLUnlxtMg_+%%-#pJV@0*>?rvmiC
z(P%UP2rj1IJ-GZSe-e^7X9a!RuU2Q^?CJNjcYQDoFb1J1sQ0DEx1Qg;^YX;Txh)aY
ztFNPrY;#?pkd6Tez2Xbf)8iwgSGb78)pg-7k+YiI-$a;#iN5;<PD3iFTcZCkdk?8<
z{nUBi9tuO^6-Gm<$cRIz9xvi`OyeMgxyEFhMir@RYCnP8EvA+Y#=8AXfJZoIb&RzJ
zql}e0=*Su%@OTek9}m*Zv_?m~nn$ymrjCS$L$Z`|Y}+(E%dr)jDmtzyOP5@;9Jr7-
zZBL=|mQi+GXW63*simAOWgQp4R;$(FlDq8LhHDKQPDz$ziOD=eB#7cgteOw<Pl$t)
z4Hn{jr7grY3~>W3?`D^pX7@kH@C5;^j#1tw_*2YncccuE-JBob$Q}&`gLHA0yY$dc
zV9vDjUO}OuF<DCMo~cl+P#L1ZaXO>hxH}Z3;jj{nD3LLmnb%t5F`DsUVw|PjSi$q2
zS@T9#in?XvX5A>50rtP_6ct+1YXLoP#z%ugv{Z4uK-s*m7p-e}FAJ<SS{C1TH2(ki
z5`@R+wi?gHczk}cn^|wh_w%FNt?wed?-Fgjvf)3>#npajWG$9D8%&Y-xhpHmS(6=E
zeq<GzB!CRE$XC+Moxt6dySZbO<TujI-2_(@Yg4rO$6bq}ogZQsMGFs^qWD3ZqB!Qg
K$=WsZ1mG7TI#vk)

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/http-evasion.bro b/testing/btest/scripts/base/protocols/http/http-evasion.bro
new file mode 100644
index 0000000000..55e296a96d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-evasion.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+