Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

Fork 0

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00

Commit graph

Author	SHA1	Message	Date
xb-anssi	c8103dd963	Test how the signature framework matches HTTP body This adds a signatures/http-body-match btest to verify how the signature framework matches HTTP body in requests and responses. It currently fails because the 'http-request-body' and 'http-reply-body' clauses never match anything when there is a '$' in their regular expressions. The other pattern clauses such as the 'payload' clause do not suffer from that restriction and it is not documented as a limitation of HTTP body pattern clauses either, so it is probably a bug. The "http-body-match" btest shows that without a fix any signatures which ends with a '$' in a http-request-body or http-reply-body rule will never raise a signature_match() event, and that signatures which do not end with a '$' cannot distinguish an HTTP body prefixed by the matching pattern (ex: ABCD) from an HTTP body consisting entirely of the matching pattern (ex: AB). Test cases by source port: - 13579: - GET without body, plain res body (CD, only) - 13578: - GET without body, plain res body (CDEF, prefix) - 24680: - POST plain req body (AB, only), plain res body (CD, only) - 24681: - POST plain req body (ABCD, prefix), plain res body (CDEF, prefix) - 24682: - POST gzipped req body (AB, only), gzipped res body (CD, only) - POST plain req body (CD, only), plain res body (EF, only) - 33210: - POST multipart plain req body (AB;CD;EF, prefix) - plain res body (CD, only) - 33211: - POST multipart plain req body (ABCD;EF, prefix) - plain res body (CDEF, prefix) - 34527: - POST chunked gzipped req body (AB, only) - chunked gzipped res body (CD, only) - 34528: - POST chunked gzipped req body (ABCD, prefix) - chunked gzipped res body (CDEF, prefix) The tests with source ports 24680, 24682 and 34527 should match the signature http_request_body_AB_only and the signature http_request_body_AB_prefix, but they only match the latter. The tests with source ports 13579, 24680, 24682, 33210 and 34527 should match the signature http_response_body_CD_only and the signature http_response_body_CD_prefix, but they only match the latter. The tests with source ports 24680, 24681, 33210 and 33211 show how the http_request_body_AB_then_CD signature with two http-request-body conditions match either on one or multiple requests (documented behaviour). The test cases with other source ports show where the http_request_body_AB_only and http_response_body_CD_only signatures should not match because their bodies include more than the searched patterns.	2023-11-03 15:28:15 +01:00

Author

SHA1

Message

Date

xb-anssi

c8103dd963

Test how the signature framework matches HTTP body

This adds a signatures/http-body-match btest to verify how the signature
framework matches HTTP body in requests and responses.

It currently fails because the 'http-request-body' and 'http-reply-body'
clauses never match anything when there is a '$' in their regular
expressions.

The other pattern clauses such as the 'payload' clause do not suffer
from that restriction and it is not documented as a limitation of HTTP
body pattern clauses either, so it is probably a bug.

The "http-body-match" btest shows that without a fix any signatures
which ends with a '$' in a http-request-body or http-reply-body rule
will never raise a signature_match() event, and that signatures which do
not end with a '$' cannot distinguish an HTTP body prefixed by the
matching pattern (ex: ABCD) from an HTTP body consisting entirely of the
matching pattern (ex: AB).

Test cases by source port:
- 13579:
  - GET without body, plain res body (CD, only)
- 13578:
  - GET without body, plain res body (CDEF, prefix)
- 24680:
  - POST plain req body (AB, only), plain res body (CD, only)
- 24681:
  - POST plain req body (ABCD, prefix), plain res body (CDEF, prefix)
- 24682:
  - POST gzipped req body (AB, only), gzipped res body (CD, only)
  - POST plain req body (CD, only), plain res body (EF, only)
- 33210:
  - POST multipart plain req body (AB;CD;EF, prefix)
  - plain res body (CD, only)
- 33211:
  - POST multipart plain req body (ABCD;EF, prefix)
  - plain res body (CDEF, prefix)
- 34527:
  - POST chunked gzipped req body (AB, only)
  - chunked gzipped res body (CD, only)
- 34528:
  - POST chunked gzipped req body (ABCD, prefix)
  - chunked gzipped res body (CDEF, prefix)

The tests with source ports 24680, 24682 and 34527 should
match the signature http_request_body_AB_only and the signature
http_request_body_AB_prefix, but they only match the latter.

The tests with source ports 13579, 24680, 24682, 33210 and 34527 should
match the signature http_response_body_CD_only and the signature
http_response_body_CD_prefix, but they only match the latter.

The tests with source ports 24680, 24681, 33210 and 33211 show how the
http_request_body_AB_then_CD signature with two http-request-body
conditions match either on one or multiple requests (documented
behaviour).

The test cases with other source ports show where the
http_request_body_AB_only and http_response_body_CD_only signatures
should not match because their bodies include more than the searched
patterns.

2023-11-03 15:28:15 +01:00

1 commit