updated weird message and tests

2025-10-02 14:48:21 +00:00 · 2016-03-04 18:03:24 -05:00 · 2016-03-04 18:03:24 -05:00 · 9ebe7b2a21
commit 9ebe7b2a21
parent 78c0e2355c
7 changed files with 10 additions and 10 deletions
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -1214,7 +1214,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
            // perform a weak test to see if the string "HTTP/"
            // is found at the end of the RequestLine
            if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
-                goto evasion;
+                goto bad_http_request_with_version;
 		goto error;
        }
@ -1237,8 +1237,8 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	return 1;
-evasion:
+bad_http_request_with_version:
-    reporter->Weird(Conn(), "possible_evasion_attempt");
+    reporter->Weird(Conn(), "bad_HTTP_request_with_version_field");
    return 0;
 error:
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
@ -6,5 +6,5 @@
 #open	2016-02-05-13-13-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	possible_evasion_attempt	-	F	bro
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version_field	-	F	bro
 #close	2016-02-05-13-13-06
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@ -13,9 +13,9 @@
 1354328882.949510	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328887.094494	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.141058	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	possible_evasion_attempt	-	F	bro
+1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version_field	-	F	bro
 1354328891.226199	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	possible_evasion_attempt	-	F	bro
+1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version_field	-	F	bro
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.396634	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
--- a/testing/btest/Traces/http/http-bad-request-with-version.trace
+++ b/testing/btest/Traces/http/http-bad-request-with-version.trace
--- a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro
+++ b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro
@ -0,0 +1,4 @@
 # @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/http/http-evasion.bro
+++ b/testing/btest/scripts/base/protocols/http/http-evasion.bro
@ -1,4 +0,0 @@
 # @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log