Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

updated weird message and tests

Browse source
This commit is contained in:
wglodek 2016-03-04 18:03:24 -05:00
parent 78c0e2355c
commit 9ebe7b2a21
7 changed files with 10 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/analyzer/protocol/http/HTTP.cc
View file

@ -1214,7 +1214,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
// perform a weak test to see if the string "HTTP/"
// is found at the end of the RequestLine
if ( strcasecmp_n(6, end_of_line - 9, " HTTP/") == 0 )
goto evasion;
goto bad_http_request_with_version;
goto error;
}
@ -1237,8 +1237,8 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
return 1;
evasion:
reporter->Weird(Conn(), "possible_evasion_attempt");
bad_http_request_with_version:
reporter->Weird(Conn(), "bad_HTTP_request_with_version_field");
return 0;
error:

0
testing/btest/Baseline/scripts.base.protocols.http.http-evasion/http.log → testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log
View file

2
testing/btest/Baseline/scripts.base.protocols.http.http-evasion/weird.log → testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
View file

@ -6,5 +6,5 @@
#open 2016-02-05-13-13-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1452204358.172926 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 possible_evasion_attempt - F bro
1452204358.172926 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version_field - F bro
#close 2016-02-05-13-13-06

4
testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
View file

@ -13,9 +13,9 @@
1354328882.949510 C7XEbhP654jzLoe3a 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro
1354328887.094494 CMXxB5GvmoxJFXdTa 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.141058 Caby8b1slFea8xwSmb 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.183942 Che1bq3i2rO3KD1Syg 128.2.6.136 46574 173.194.75.103 80 possible_evasion_attempt - F bro
1354328891.183942 Che1bq3i2rO3KD1Syg 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version_field - F bro
1354328891.226199 C3SfNE4BWaU4aSuwkc 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.267625 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 possible_evasion_attempt - F bro
1354328891.267625 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version_field - F bro
1354328891.309065 CwSkQu4eWZCH7OONC1 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.396634 CzA03V1VcgagLjnO92 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro

0
testing/btest/Traces/http/http-evasion.trace → testing/btest/Traces/http/http-bad-request-with-version.trace
View file

4
testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff weird.log

4
testing/btest/scripts/base/protocols/http/http-evasion.bro
View file

@ -1,4 +0,0 @@
# @TEST-EXEC: bro -Cr $TRACES/http/http-evasion.trace %INPUT
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff weird.log