Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

detect possible HTTP evasion attempts

Browse source
This commit is contained in:
wglodek 2016-02-07 11:22:09 -05:00
parent 9ec6927cc1
commit 93f52fcdd2
5 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/analyzer/protocol/http/HTTP.cc
View file

@ -1209,7 +1209,14 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
const char* end_of_method = get_HTTP_token(line, end_of_line);
if ( end_of_method == line )
{
// something went wrong with get_HTTP_token
// perform a weak test to see if the string "HTTP/"
// is found at the end of the RequestLine
if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
goto evasion;
goto error;
}
rest = skip_whitespace(end_of_method, end_of_line);
@ -1230,6 +1237,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
return 1;
evasion:
reporter->Weird(Conn(), "possible_evasion_attempt");
return 0;
error:
reporter->Weird(Conn(), "bad_HTTP_request");
return 0;