Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Better handling of % at end of line.

Browse source
This commit is contained in:
Johanna Amann 2017-07-27 22:04:47 -07:00
parent 089f87d8da
commit ade9aa219b
5 changed files with 39 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/analyzer/protocol/http/HTTP.cc
View file

@ -1843,19 +1843,29 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
if ( line == line_end ) if ( line == line_end )
{ {
// How to deal with % at end of line? *URI_p++ = '%';
// *URI_p++ = '%';
if ( analyzer ) if ( analyzer )
analyzer->Weird("illegal_%_at_end_of_URI"); analyzer->Weird("illegal_%_at_end_of_URI");
break; break;
} }
else if ( line + 1 == line_end )
{
// % + one character at end of line. Log weird
// and just add to unescpaped URI.
*URI_p++ = '%';
*URI_p++ = *line;
if ( analyzer )
analyzer->Weird("partial_escape_at_end_of_URI");
break;
}
else if ( *line == '%' ) else if ( *line == '%' )
{ {
// Double '%' might be either due to // Double '%' might be either due to
// software bug, or more likely, an // software bug, or more likely, an
// evasion (e.g. used by Nimda). // evasion (e.g. used by Nimda).
// *URI_p++ = '%'; *URI_p++ = '%';
if ( analyzer ) if ( analyzer )
analyzer->Weird("double_%_in_URI"); analyzer->Weird("double_%_in_URI");
--line; // ignore the first '%' --line; // ignore the first '%'

11
testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2017-07-28-05-03-01
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 1 GET icir.org /% - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - Fp16kg2g0K5oCDByh2 - text/html
1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 1 GET icir.org /%5 - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - FAjakt4YvddFQlySjk - text/html
#close 2017-07-28-05-03-01

11
testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-07-28-05-03-01
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F bro
1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F bro
#close 2017-07-28-05-03-01

BIN
testing/btest/Traces/http/percent-end-of-line.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/http/percent-end-of-line.bro Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff weird.log