Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

detect possible HTTP evasion attempts

Browse source
This commit is contained in:
wglodek 2016-02-07 11:22:09 -05:00
parent 9ec6927cc1
commit 93f52fcdd2
5 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/analyzer/protocol/http/HTTP.cc
View file

@ -1209,7 +1209,14 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
const char* end_of_method = get_HTTP_token(line, end_of_line); const char* end_of_method = get_HTTP_token(line, end_of_line);
if ( end_of_method == line ) if ( end_of_method == line )
{
// something went wrong with get_HTTP_token
// perform a weak test to see if the string "HTTP/"
// is found at the end of the RequestLine
if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
goto evasion;
goto error; goto error;
}
rest = skip_whitespace(end_of_method, end_of_line); rest = skip_whitespace(end_of_method, end_of_line);
@ -1230,6 +1237,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
return 1; return 1;
evasion:
reporter->Weird(Conn(), "possible_evasion_attempt");
return 0;
error: error:
reporter->Weird(Conn(), "bad_HTTP_request"); reporter->Weird(Conn(), "bad_HTTP_request");
return 0; return 0;

10
testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2016-02-05-13-13-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string]
1452204358.910557 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 1 - - - - 1.1 - 0 14 200 OK - - - (empty) - - - - - FGec0Miu9FfcsYUT4 text/plain
#close 2016-02-05-13-13-06

10
testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-02-05-13-13-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1452204358.172926 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 possible_evasion_attempt - F bro
#close 2016-02-05-13-13-06

BIN
testing/btest/Traces/http/http-evasion.trace Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/http/http-evasion.bro Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff weird.log