1 /**************************************************************************** 2 * 3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 * Copyright (C) 2003-2013 Sourcefire, Inc. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License Version 2 as 8 * published by the Free Software Foundation. You may not use, modify or 9 * distribute this program under any other version of the GNU General 10 * Public License. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 * 21 ****************************************************************************/ 22 23 #ifndef __HI_EO_EVENTS_H__ 24 #define __HI_EO_EVENTS_H__ 25 26 #include "hi_include.h" 27 28 /* 29 ** Client Events 30 */ 31 typedef enum _HI_CLI_EVENTS 32 { 33 HI_EO_CLIENT_ASCII = 0, 34 HI_EO_CLIENT_DOUBLE_DECODE , 35 HI_EO_CLIENT_U_ENCODE , 36 HI_EO_CLIENT_BARE_BYTE , 37 /* Base36 is deprecated - leave here so events keep the same number */ 38 HI_EO_CLIENT_BASE36 , 39 HI_EO_CLIENT_UTF_8 , 40 HI_EO_CLIENT_IIS_UNICODE , 41 HI_EO_CLIENT_MULTI_SLASH , 42 HI_EO_CLIENT_IIS_BACKSLASH , 43 HI_EO_CLIENT_SELF_DIR_TRAV , 44 HI_EO_CLIENT_DIR_TRAV , 45 HI_EO_CLIENT_APACHE_WS , 46 HI_EO_CLIENT_IIS_DELIMITER , 47 HI_EO_CLIENT_NON_RFC_CHAR , 48 HI_EO_CLIENT_OVERSIZE_DIR , 49 HI_EO_CLIENT_LARGE_CHUNK , 50 HI_EO_CLIENT_PROXY_USE , 51 HI_EO_CLIENT_WEBROOT_DIR , 52 HI_EO_CLIENT_LONG_HDR , 53 HI_EO_CLIENT_MAX_HEADERS , 54 HI_EO_CLIENT_MULTIPLE_CONTLEN, 55 HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, 56 HI_EO_CLIENT_INVALID_TRUEIP , 57 HI_EO_CLIENT_MULTIPLE_HOST_HDRS, 58 HI_EO_CLIENT_LONG_HOSTNAME , 59 HI_EO_CLIENT_EXCEEDS_SPACES , 60 HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS, 61 HI_EO_CLIENT_UNBOUNDED_POST, 62 HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, 63 HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, 64 HI_EO_CLIENT_UNKNOWN_METHOD, 65 HI_EO_CLIENT_SIMPLE_REQUEST, 66 HI_EO_CLIENT_UNESCAPED_SPACE_URI, 67 HI_EO_CLIENT_PIPELINE_MAX, 68 HI_EO_CLIENT_MULTIPLE_COLON_BETN_KEY_VALUE, 69 HI_EO_CLIENT_INVALID_RANGE_UNIT_FMT, 70 HI_EO_CLIENT_RANGE_NON_GET_METHOD, 71 HI_EO_CLIENT_RANGE_FIELD_ERROR, 72 HI_EO_CLIENT_EVENT_NUM 73 } HI_CLI_EVENTS; 74 75 typedef enum _HI_EVENTS 76 { 77 HI_EO_ANOM_SERVER = 0, 78 HI_EO_SERVER_INVALID_STATCODE, 79 HI_EO_SERVER_NO_CONTLEN, 80 HI_EO_SERVER_UTF_NORM_FAIL, 81 HI_EO_SERVER_UTF7, 82 HI_EO_SERVER_DECOMPR_FAILED, 83 HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS, 84 HI_EO_CLISRV_MSG_SIZE_EXCEPTION, 85 HI_EO_SERVER_JS_OBFUSCATION_EXCD, 86 HI_EO_SERVER_JS_EXCESS_WS, 87 HI_EO_SERVER_MIXED_ENCODINGS, 88 HI_EO_SERVER_SWF_ZLIB_FAILURE, 89 HI_EO_SERVER_SWF_LZMA_FAILURE, 90 HI_EO_SERVER_PDF_DEFL_FAILURE, 91 HI_EO_SERVER_PDF_UNSUP_COMP_TYPE, 92 HI_EO_SERVER_PDF_CASC_COMP, 93 HI_EO_SERVER_PDF_PARSE_FAILURE, 94 HI_EO_SERVER_PROTOCOL_OTHER, 95 HI_EO_SERVER_MULTIPLE_CONTLEN, 96 HI_EO_SERVER_MULTIPLE_CONTENT_ENCODING, 97 HI_EO_SERVER_MULTIPLE_COLON_BETN_KEY_VALUE, 98 HI_EO_SERVER_INVALID_CHAR_BETN_KEY_VALUE, 99 HI_EO_CLISRV_INVALID_CHUNKED_ENCODING, 100 HI_EO_SERVER_PARTIAL_DECOMPRESSION_FAIL, 101 HI_EO_SERVER_INVALID_HEADER_FOLDING, 102 HI_EO_SERVER_JUNK_LINE_BEFORE_RESP_HEADER, 103 HI_EO_SERVER_NO_RESP_HEADER_END, 104 HI_EO_SERVER_INVALID_CHUNK_SIZE, 105 HI_EO_SERVER_INVALID_VERSION_RESP_HEADER, 106 HI_EO_SERVER_INVALID_CONTENT_RANGE_UNIT_FMT, 107 HI_EO_SERVER_RANGE_FIELD_ERROR, 108 HI_EO_SERVER_NON_RANGE_GET_PARTIAL_METHOD, 109 HI_EO_SERVER_EVENT_NUM 110 }HI_EVENTS; 111 112 /* 113 ** These defines are the alert names for each event 114 */ 115 #define HI_EO_CLIENT_ASCII_STR \ 116 "(http_inspect) ASCII ENCODING" 117 #define HI_EO_CLIENT_DOUBLE_DECODE_STR \ 118 "(http_inspect) DOUBLE DECODING ATTACK" 119 #define HI_EO_CLIENT_U_ENCODE_STR \ 120 "(http_inspect) U ENCODING" 121 #define HI_EO_CLIENT_BARE_BYTE_STR \ 122 "(http_inspect) BARE BYTE UNICODE ENCODING" 123 /* Base36 is deprecated - leave here so events keep the same number */ 124 #define HI_EO_CLIENT_BASE36_STR \ 125 "(http_inspect) BASE36 ENCODING" 126 #define HI_EO_CLIENT_UTF_8_STR \ 127 "(http_inspect) UTF-8 ENCODING" 128 #define HI_EO_CLIENT_IIS_UNICODE_STR \ 129 "(http_inspect) IIS UNICODE CODEPOINT ENCODING" 130 #define HI_EO_CLIENT_MULTI_SLASH_STR \ 131 "(http_inspect) MULTI_SLASH ENCODING" 132 #define HI_EO_CLIENT_IIS_BACKSLASH_STR \ 133 "(http_inspect) IIS BACKSLASH EVASION" 134 #define HI_EO_CLIENT_SELF_DIR_TRAV_STR \ 135 "(http_inspect) SELF DIRECTORY TRAVERSAL" 136 #define HI_EO_CLIENT_DIR_TRAV_STR \ 137 "(http_inspect) DIRECTORY TRAVERSAL" 138 #define HI_EO_CLIENT_APACHE_WS_STR \ 139 "(http_inspect) APACHE WHITESPACE (TAB)" 140 #define HI_EO_CLIENT_IIS_DELIMITER_STR \ 141 "(http_inspect) NON-RFC HTTP DELIMITER" 142 #define HI_EO_CLIENT_NON_RFC_CHAR_STR \ 143 "(http_inspect) NON-RFC DEFINED CHAR" 144 #define HI_EO_CLIENT_OVERSIZE_DIR_STR \ 145 "(http_inspect) OVERSIZE REQUEST-URI DIRECTORY" 146 #define HI_EO_CLIENT_LARGE_CHUNK_STR \ 147 "(http_inspect) OVERSIZE CHUNK ENCODING" 148 #define HI_EO_CLIENT_PROXY_USE_STR \ 149 "(http_inspect) UNAUTHORIZED PROXY USE DETECTED" 150 #define HI_EO_CLIENT_WEBROOT_DIR_STR \ 151 "(http_inspect) WEBROOT DIRECTORY TRAVERSAL" 152 #define HI_EO_CLIENT_LONG_HDR_STR \ 153 "(http_inspect) LONG HEADER" 154 #define HI_EO_CLIENT_MAX_HEADERS_STR \ 155 "(http_inspect) MAX HEADER FIELDS" 156 #define HI_EO_CLIENT_MULTIPLE_CONTLEN_STR \ 157 "(http_inspect) MULTIPLE CONTENT LENGTH" 158 #define HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR \ 159 "(http_inspect) CHUNK SIZE MISMATCH DETECTED" 160 #define HI_EO_CLIENT_MULTIPLE_HOST_HDRS_STR \ 161 "(http_inspect) MULTIPLE HOST HDRS DETECTED" 162 #define HI_EO_CLIENT_INVALID_TRUEIP_STR \ 163 "(http_inspect) INVALID IP IN TRUE-CLIENT-IP/XFF HEADER" 164 #define HI_EO_CLIENT_LONG_HOSTNAME_STR \ 165 "(http_inspect) HOSTNAME EXCEEDS 255 CHARACTERS" 166 #define HI_EO_CLIENT_EXCEEDS_SPACES_STR \ 167 "(http_inspect) HEADER PARSING SPACE SATURATION" 168 #define HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS_STR \ 169 "(http_inspect) CLIENT CONSECUTIVE SMALL CHUNK SIZES" 170 #define HI_EO_CLIENT_UNBOUNDED_POST_STR \ 171 "(http_inspect) POST W/O CONTENT-LENGTH OR CHUNKS" 172 #define HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION_STR \ 173 "(http_inspect) MULTIPLE TRUE IPS IN A SESSION" 174 #define HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS_STR \ 175 "(http_inspect) BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT" 176 #define HI_EO_CLIENT_UNKNOWN_METHOD_STR \ 177 "(http_inspect) UNKNOWN METHOD" 178 #define HI_EO_CLIENT_SIMPLE_REQUEST_STR \ 179 "(http_inspect) SIMPLE REQUEST" 180 #define HI_EO_CLIENT_UNESCAPED_SPACE_URI_STR \ 181 "(http_inspect) UNESCAPED SPACE IN HTTP URI" 182 #define HI_EO_CLIENT_PIPELINE_MAX_STR \ 183 "(http_inspect) TOO MANY PIPELINED REQUESTS" 184 #define HI_EO_CLIENT_MULTIPLE_COLON_BETN_KEY_VALUE_STR \ 185 "(http_inspect) MULTIPLE COLON BETWEEN KEY AND VALUE IN HTTP REQUEST HEADER" 186 #define HI_EO_CLIENT_INVALID_RANGE_UNIT_FMT_STR \ 187 "(http_inspect) INVALID RANGE UNIT FORMAT" 188 #define HI_EO_CLIENT_RANGE_NON_GET_METHOD_STR \ 189 "(http_inspect) RANGE FIELD PRESENT IN NON GET METHOD" 190 #define HI_EO_CLIENT_RANGE_FIELD_ERROR_STR \ 191 "(http_inspect) ERROR IN RANGE FIELD OF REQUEST HEADER" 192 193 /* 194 ** Server Events 195 */ 196 197 #define HI_EO_ANOM_SERVER_STR \ 198 "(http_inspect) ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT" 199 #define HI_EO_SERVER_INVALID_STATCODE_STR \ 200 "(http_inspect) INVALID STATUS CODE IN HTTP RESPONSE" 201 #define HI_EO_SERVER_NO_CONTLEN_STR \ 202 "(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE" 203 #define HI_EO_SERVER_UTF_NORM_FAIL_STR \ 204 "(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE" 205 #define HI_EO_SERVER_UTF7_STR \ 206 "(http_inspect) HTTP RESPONSE HAS UTF-7 CHARSET" 207 #define HI_EO_SERVER_DECOMPR_FAILED_STR \ 208 "(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED" 209 #define HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS_STR \ 210 "(http_inspect) SERVER CONSECUTIVE SMALL CHUNK SIZES" 211 #define HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR \ 212 "(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE" 213 #define HI_EO_SERVER_JS_OBFUSCATION_EXCD_STR \ 214 "(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1" 215 #define HI_EO_SERVER_JS_EXCESS_WS_STR \ 216 "(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED" 217 #define HI_EO_SERVER_MIXED_ENCODINGS_STR \ 218 "(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA" 219 #define HI_EO_SERVER_SWF_ZLIB_FAILURE_STR \ 220 "(http_inspect) HTTP_RESPONSE SWF FILE ZLIB DECOMPRESSION FAILURE" 221 #define HI_EO_SERVER_SWF_LZMA_FAILURE_STR \ 222 "(http_inspect) HTTP_RESPONSE SWF FILE LZMA DECOMPRESSION FAILURE" 223 #define HI_EO_SERVER_PDF_DEFL_FAILURE_STR \ 224 "(http_inspect) HTTP_RESPONSE PDF FILE DEFLATE DECOMPRESSION FAILURE" 225 #define HI_EO_SERVER_PDF_UNSUP_COMP_TYPE_STR \ 226 "(http_inspect) HTTP_RESPONSE PDF FILE UNSUPPORTED COMPRESSION TYPE" 227 #define HI_EO_SERVER_PDF_CASC_COMP_STR \ 228 "(http_inspect) HTTP_RESPONSE PDF FILE CASCADED COMPRESSION" 229 #define HI_EO_SERVER_PDF_PARSE_FAILURE_STR \ 230 "(http_inspect) HTTP_RESPONSE PDF FILE PARSE FAILURE" 231 #define HI_EO_SERVER_PROTOCOL_OTHER_STR \ 232 "(http_inspect) PROTOCOL-OTHER HTTP server response before client request " 233 #define HI_EO_SERVER_MULTIPLE_CONTLEN_STR \ 234 "(http_inspect) MULTIPLE CONTENT LENGTH IN HTTP RESPONSE" 235 #define HI_EO_SERVER_MULTIPLE_CONTENT_ENCODING_STR \ 236 "(http_inspect) MULTIPLE CONTENT ENCODING IN HTTP RESPONSE" 237 #define HI_EO_SERVER_MULTIPLE_COLON_BETN_KEY_VALUE_STR \ 238 "(http_inspect) MULTIPLE COLON BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER" 239 #define HI_EO_SERVER_INVALID_CHAR_BETN_KEY_VALUE_STR \ 240 "(http_inspect) INVALID CHARACTER BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER" 241 #define HI_EO_CLISRV_INVALID_CHUNKED_EXCEPTION_STR \ 242 "(http_inspect) TRANSFER ENCODING:CHUNKED IN HTTP 1.0 REQUEST/RESPONSE HEADER" 243 #define HI_EO_SERVER_PARTIAL_DECOMPRESSION_FAIL_STR \ 244 "(http_inspect) HTTP RESPONSE PARTIAL DECOMPRESSION FAILURE" 245 #define HI_EO_SERVER_INVALID_HEADER_FOLDING_STR \ 246 "(http_inspect) INVALID HEADER FOLDING" 247 #define HI_EO_SERVER_JUNK_LINE_BEFORE_RESP_HEADER_STR \ 248 "(http_inspect) JUNK LINE BEFORE HTTP RESPONSE HEADER" 249 #define HI_EO_SERVER_NO_RESP_HEADER_END_STR \ 250 "(http_inspect) NO END OF HEADER IN RESPONSE" 251 #define HI_EO_SERVER_INVALID_CHUNK_SIZE_STR \ 252 "(http_inspect) INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS" 253 #define HI_EO_SERVER_INVALID_VERSION_RESP_HEADER_STR \ 254 "(http_inspect) INVALID VERSION IN HTTP RESPONSE HEADER" 255 #define HI_EO_SERVER_INVALID_CONTENT_RANGE_UNIT_FMT_STR \ 256 "(http_inspect) INVALID CONTENT RANGE UNIT FORMAT" 257 #define HI_EO_SERVER_RANGE_FIELD_ERROR_STR \ 258 "(http_inspect) ERROR IN RANGE FIELD OF RESPONSE HEADER" 259 #define HI_EO_SERVER_NON_RANGE_GET_PARTIAL_METHOD_STR \ 260 "(http_inspect) RANGE FIELD NOT PRESENT IN GET METHOD, BUT RESPONSE WITH PARTIAL CONTENT" 261 262 /* 263 ** Event Priorities 264 */ 265 #define HI_EO_HIGH_PRIORITY 0 266 #define HI_EO_MED_PRIORITY 1 267 #define HI_EO_LOW_PRIORITY 2 268 269 #endif 270