detect possible HTTP evasion attempts

2025-10-02 14:48:21 +00:00 · 2016-02-07 11:22:09 -05:00 · 2016-02-07 11:22:09 -05:00 · 93f52fcdd2
commit 93f52fcdd2
parent 9ec6927cc1
5 changed files with 35 additions and 0 deletions
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -1209,7 +1209,14 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	const char* end_of_method = get_HTTP_token(line, end_of_line);

 	if ( end_of_method == line )
+        {
+            // something went wrong with get_HTTP_token
+            // perform a weak test to see if the string "HTTP/"
+            // is found at the end of the RequestLine
+            if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
+                goto evasion;
 		goto error;
+        }

 	rest = skip_whitespace(end_of_method, end_of_line);

@ -1230,6 +1237,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)

 	return 1;

+evasion:
+    reporter->Weird(Conn(), "possible_evasion_attempt");
+    return 0;
+
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1452204358.910557	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	1	-	-	-	-	1.1	-	0	14	200	OK	-	-	-	(empty)	-	-	-	-	-	FGec0Miu9FfcsYUT4	text/plain
+#close	2016-02-05-13-13-06
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	possible_evasion_attempt	-	F	bro
+#close	2016-02-05-13-13-06
--- a/testing/btest/Traces/http/http-evasion.trace
+++ b/testing/btest/Traces/http/http-evasion.trace
--- a/testing/btest/scripts/base/protocols/http/http-evasion.bro
+++ b/testing/btest/scripts/base/protocols/http/http-evasion.bro
@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+