Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add weird for unknown HTTP/0.9 request method

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-03-09 13:20:03 -07:00
parent 0003495a9b
commit 9cb6de7447
5 changed files with 12 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/analyzer/protocol/http/HTTP.cc
View file

@ -984,6 +984,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
// responder because we expect raw data. // responder because we expect raw data.
if ( request_version == HTTP_VersionNumber{0, 9} ) if ( request_version == HTTP_VersionNumber{0, 9} )
{ {
if ( request_method->ToStdString() != "GET" )
Weird("invalid_http_09_request_method", request_method->CheckString());
reply_state = EXPECT_REPLY_HTTP09; reply_state = EXPECT_REPLY_HTTP09;
RemoveSupportAnalyzer(content_line_resp); RemoveSupportAnalyzer(content_line_resp);
} }

1
src/telemetry/telemetry.bif
View file

@ -78,7 +78,6 @@ bool is_valid(zeek::Span<const zeek::telemetry::LabelView> labels,
{ {
return std::find(keys.begin(), keys.end(), x.first) != keys.end(); return std::find(keys.begin(), keys.end(), x.first) != keys.end();
}; };
return labels.size() == label_names.size() return labels.size() == label_names.size()
&& std::all_of(labels.begin(), labels.end(), key_in_label_names); && std::all_of(labels.begin(), labels.end(), key_in_label_names);
} }

1
testing/btest/Baseline/scripts.base.protocols.http.http-09/weird.log
View file

@ -7,6 +7,7 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string #types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 42964 127.0.0.1 80 invalid_http_09_request_method POST F zeek HTTP
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 127.0.0.1 42968 127.0.0.1 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 127.0.0.1 42968 127.0.0.1 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 127.0.0.1 42970 127.0.0.1 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 127.0.0.1 42970 127.0.0.1 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 127.0.0.1 42972 127.0.0.1 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 127.0.0.1 42972 127.0.0.1 80 bad_HTTP_request - F zeek HTTP

7
testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
View file

@ -18,20 +18,27 @@ XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTT
XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 invalid_http_09_request_method CCM_POST F zeek HTTP
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -
XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 128.2.6.136 46583 173.194.75.103 80 invalid_http_09_request_method CONNECT F zeek HTTP
XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CFSwNi4CNGxcuffo49 128.2.6.136 46588 173.194.75.103 80 invalid_http_09_request_method TRACE F zeek HTTP
XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl 128.2.6.136 46593 173.194.75.103 80 invalid_http_09_request_method DELETE F zeek HTTP
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CTrywc2ra7tcWn2af 128.2.6.136 46598 173.194.75.103 80 invalid_http_09_request_method PUT F zeek HTTP
XXXXXXXXXX.XXXXXX CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CImWJ03GsvPvA0P67i 128.2.6.136 46603 173.194.75.103 80 invalid_http_09_request_method POST F zeek HTTP
XXXXXXXXXX.XXXXXX CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CudMuD3jKHCaCU5CE 128.2.6.136 46608 173.194.75.103 80 invalid_http_09_request_method HEAD F zeek HTTP
XXXXXXXXXX.XXXXXX CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
XXXXXXXXXX.XXXXXX CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek HTTP XXXXXXXXXX.XXXXXX CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek HTTP
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
3c4e707f5d18531ec8a82dc14daa48bd19bfb676 dca3e0c38987ecddbc25f3b378c11bb3e18b47d0