-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathheader-test.bro
More file actions
53 lines (38 loc) · 1.24 KB
/
header-test.bro
File metadata and controls
53 lines (38 loc) · 1.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
##! Test HTTP header values for the general form of CVE-2014-6271
@load base/protocols/http/main
module HTTP;
export {
redef enum Notice::Type += {
HTTP_Suspicious_Client_Header,
HTTP_Suspicious_Server_Header,
};
## A boolean value to determine if client header names are to be tested
const test_client_header_names = T &redef;
## A boolean value to determine if server header names are to be logged.
const test_server_header_names = T &redef;
## Looking for the general form:
## http-header = Host:() { :; }; ping
##
const header_pattern = /.*\(.*\).*\{.*\:.*\;.*\}/ &redef;
## Some header fields just have too much junk in them...
const header_whitelist = /COOKIE/ &redef;
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
{
if ( is_orig && test_client_header_names )
{
if ( header_pattern in value && header_whitelist !in name ) {
NOTICE([$note=HTTP_Suspicious_Client_Header,
$conn = c,
$msg = fmt("%s : %s", name, value)]);
}
}
if ( !is_orig && test_server_header_names )
{
if ( header_pattern in value && header_whitelist !in name ) {
NOTICE([$note=HTTP_Suspicious_Server_Header,
$conn = c,
$msg = fmt("%s : %s", name, value)]);
}
}
}