diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index c7a7794817..318a3f9774 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -984,6 +984,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) // responder because we expect raw data. if ( request_version == HTTP_VersionNumber{0, 9} ) { + if ( request_method->ToStdString() != "GET" ) + Weird("invalid_http_09_request_method", request_method->CheckString()); + reply_state = EXPECT_REPLY_HTTP09; RemoveSupportAnalyzer(content_line_resp); } diff --git a/src/telemetry/telemetry.bif b/src/telemetry/telemetry.bif index d35c39e24f..7b3b423a86 100644 --- a/src/telemetry/telemetry.bif +++ b/src/telemetry/telemetry.bif @@ -78,7 +78,6 @@ bool is_valid(zeek::Span labels, { return std::find(keys.begin(), keys.end(), x.first) != keys.end(); }; - return labels.size() == label_names.size() && std::all_of(labels.begin(), labels.end(), key_in_label_names); } diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-09/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-09/weird.log index 0c40a3a626..6dc53fba56 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-09/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-09/weird.log @@ -7,6 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source #types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 42964 127.0.0.1 80 invalid_http_09_request_method POST F zeek HTTP XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 127.0.0.1 42968 127.0.0.1 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 127.0.0.1 42970 127.0.0.1 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 127.0.0.1 42972 127.0.0.1 80 bad_HTTP_request - F zeek HTTP diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log index 3d9f1e995a..36aac43a4e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log @@ -18,20 +18,27 @@ XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTT XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 invalid_http_09_request_method CCM_POST F zeek HTTP XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 128.2.6.136 46583 173.194.75.103 80 invalid_http_09_request_method CONNECT F zeek HTTP XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CFSwNi4CNGxcuffo49 128.2.6.136 46588 173.194.75.103 80 invalid_http_09_request_method TRACE F zeek HTTP XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl 128.2.6.136 46593 173.194.75.103 80 invalid_http_09_request_method DELETE F zeek HTTP XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CTrywc2ra7tcWn2af 128.2.6.136 46598 173.194.75.103 80 invalid_http_09_request_method PUT F zeek HTTP XXXXXXXXXX.XXXXXX CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CImWJ03GsvPvA0P67i 128.2.6.136 46603 173.194.75.103 80 invalid_http_09_request_method POST F zeek HTTP XXXXXXXXXX.XXXXXX CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CudMuD3jKHCaCU5CE 128.2.6.136 46608 173.194.75.103 80 invalid_http_09_request_method HEAD F zeek HTTP XXXXXXXXXX.XXXXXX CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek HTTP #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index b6f9d34011..207ec86c28 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -3c4e707f5d18531ec8a82dc14daa48bd19bfb676 \ No newline at end of file +dca3e0c38987ecddbc25f3b378c11bb3e18b47d0 \ No newline at end of file