Project

General

Profile

Actions
Copy link

Feature #997

closed
AS PA

Add libhtp event for every htp_log() that needs an event.

Feature #997: Add libhtp event for every htp_log() that needs an event.

Added by Anoop Saldanha over 12 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

This support would come from libhtp and suricata's http event engine
would be updated to fully support libhtp's flag based event event engine.

VJ Updated by Victor Julien over 12 years ago Actions
Copy link
 #1

  • Target version changed from 2.0beta2 to 2.0rc2

The event system in libhtp still has to be created. Upstream ideas on this are here https://github.com/ironbee/libhtp/wiki/Events

VJ Updated by Victor Julien about 12 years ago Actions
Copy link
 #2

  • Tracker changed from Bug to Feature
  • Target version changed from 2.0rc2 to 3.0RC2

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
 #3

  • Target version changed from 3.0RC2 to 70

VJ Updated by Victor Julien almost 10 years ago Actions
Copy link
 #4

  • Assignee changed from Anoop Saldanha to OISF Dev

VJ Updated by Victor Julien about 7 years ago Actions
Copy link
 #5

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Philippe Antoine

As a first step, I think we should review which of the warning/error messages are not yet connected to a Suricata event.

PA Updated by Philippe Antoine almost 7 years ago Actions
Copy link
 #6

Here are the interesting log messages for which there are no events
"Request buffer over the limit: size %zd limit %zd."
"Response buffer over the limit: size %zd limit %zd."
"C-T multipart/byteranges in responses not supported"
"Transfer-encoding has abnormal chunked value"
"Chunked transfer-encoding on HTTP/0.9 or HTTP/1.0"
"Invalid response line: invalid protocol"
"Invalid response line: invalid response status %d."
"Request line incomplete"

In addition to that,
There is a message in libhtp which I think is dead code in htp_transaction.c
"[Internal Error] Invalid tx->response_content_encoding_processing value: %d"

And there are log messages which result from a wrong use of libhtp and are not reached by Suricata.

Should I go and create the Suricata events for the first list ?

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #7

Sounds great, lets go with this list.

PA Updated by Philippe Antoine almost 7 years ago Actions
Copy link
 #8

Should we really raise an event for multipart/byterange responses ?
These are regular responses that we should rather parse...
What do you think ?

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #9

I think we should be able to match on it, but not enable a rule for it by default. Byte range support itself is tracked in #1576

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #10

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 5.0rc1
Actions
Copy link

Also available in: PDF Atom