/*
* HTTP Decoder, Copyright by Palo Alto Networks, 2006
*
* Info sources:
* 1. HTTP RFC
* 2. MSIE vulnerabilities ;-)
*/
#define HTTP 1
#define ENABLE_DLP 1
/*******************************************************
* Note: All file format related states need to be added
* in avinclude.sml, and any enums in panav.sml
******************************************************/
#include "version.h"
unsigned packet_status:8;
#include "avinclude.h"
#include "predict.h"
#include "att.h"
#include "http_common_hit.h"
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(3,0,0,0)))
#include "gnu-httptunnel.h"
#endif
/*********************
* Global Defs *
********************/
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(2,1,0,8)))
unsigned host4bytes:32;
unsigned freegate:8;
unsigned cgiproxy:8;
unsigned pktnum:8;
unsigned used_as_flag:8;
#endif
/*zealot add*/
unsigned charset:32;
unsigned convert_count:8;
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(2,0,0,0)))
unsigned rsp_code:16;
unsigned ntlm_ssp_flag:8; /*highest bit for ftp/ftp-data bug 58677*/
#else
unsigned rsp_code:8;
#endif
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(3,0,0,15)))
unsigned http_proxy:8;
#endif
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(2,1,0,8)))
unsigned simple_request:8;
unsigned switch_reason:8;
unsigned p2p:8;
unsigned evasive:8; /* bit 0: for real evasive case; bit 1 and bit 2 for scotty detection.*/
unsigned rsp_pktnum:8;
unsigned loic_count:8;
#endif
/*
* evasive_app is used for some apps which only have a valid short HTTP header in the first req packet
* We mark this flag in request and check whether need to setapp in the evasive state
* So if it is valid HTTP session, evasive_app could be re-used for other purpose.
* */
#if (PAN_ENGINE_VERSION >= (PAN_VERSION(3,1,0,0)))
unsigned evasive_app:16;
#endif
unsigned http_method:8;
unsigned proto:8;
//add var below for zealot secondary module check
unsigned field_req_uri_path_is_begin:8;
unsigned field_req_params_is_begin:8;
unsigned field_host_header_is_begin:8;
unsigned field_full_cookie_is_begin:8;
unsigned field_auth_user_is_begin:8;
unsigned field_post_message_body_is_begin:8;
unsigned field_cdn_src_ip_is_begin:8;
unsigned field_http_req_x_forwarded_for_is_begin:8;
unsigned skip_search_engine:8;
unsigned flash_search_engine:8; //added by wangshiyou for flash 0day, 2015.07.09
unsigned isRspSuspend:32 ;
#include "http_p2p.h"
#define MAX_URL_LEN 18000
#define MAX_HEADER_LEN 25000
#define MAX_METHOD_LEN 64
/* for method */
enum {
UNKNOWN_METHOD,
GET,
POST,
PUT,
SEARCH,
SUBSCRIBE,
UNSUBSCRIBE,
PROPFIND,
PROPPATCH,
MKCOL,
COPY,
MOVE,
LOCK,
UNLOCK,
NOTIFY,
POLL,
BCOPY,
BDELETE,
BMOVE,
BPROPFIND,
BPROPPATCH,
LINK,
UNLINK,
OPTIONS,
HEAD,
DELETE,
TRACE,
TRACK,
CONNECT,
RPC_CONNECT,
PROXY_SUCCESS,
SOURCE,
BITS_POST,
CCM_POST,
SMS_POST,
RPC_IN_DATA,
RPC_OUT_DATA,
RPC_ECHO_DATA,
DVRPOST,
};
/* for header */
enum {
ASP = 1,
HTR = 2,
PHP = 3,
PLCGI = 4,
THEME = 5,
ASA = 6,
};
enum {
NO_RETADDR,
EDIR_IMONITOR,
MINISHARE_RETADDR,
NAVICOPA_RETADDR,
BIGANT_RETADDR,
HP_POWER_MGR_RETADDR,
BLUECOAT_PROXY_RETADDR,
WINGATE_PROXY_RETADDR,
DOMINO_ACCLANG_RETADDR,
INTERSYS_CACHE_RETADDR,
OVJAVALOCALE_RETADDR,
VERMEER_URLENCODED,
MICROSOFT_RICHUPLOAD,
};
enum
{
NOREASON,
REQ_FIRST_METHOD_OFFSET_ABNORMAL1,
REQ_FIRST_METHOD_OFFSET_ABNORMAL2,
REQ_FIRST_METHOD_OFFSET_ABNORMAL3,
REQ_LONG_HEADER,
REQ_LONG_URL,
REQ_LONG_UNKNOWN_METHOD,
REQ_BINARY_UNKNOWN_METHOD,
REQ_BINARY_4_URLBYTES,
REQ_NO_METHOD_IN_64_BYTES,
REQ_SIMPLE_REQUEST_NOT_GET_METHOD,
REQ_RTMP_MATCHED,
REQ_RTMPE_MATCHED,
REQ_MULTIPLE_SIMPLE_REQUEST,
REQ_SIMPLE_REQUEST_IN_MULTIPLE_PACKET,
REQ_2_CRLF_IN_SIMPLE_REQUEST,
REQ_HTTP_VERSION_ERROR,
REQ_HTTP_VERSION_DONT_SEE_CRLF_AFTER_8_BYTES,
REQ_NOT_GET_ON_SIMPLE_REQUEST,
REQ_CRLF_FOUND_BEFORE_VERSIONSTRING,
REQ_ZERO_START_METHOD,
RSP_RSPLEN_GREATER_10,
RSP_VERSION_ERROR,
RSP_NOT_FOUND_HTTP_IN_10_BYTES,
RSP_NOT_FOUND_RSP_CODE_START_SPACE_IN_10_BYTES,
RSP_CODE_NOT_FINISH_IN_4_BYTES,
RSP_NO_DIGITAL_RSP_CODE,
RSP_TOO_LONG_REASON,
RSP_LONG_HEADER,
};
enum
{
HTTP_REQ_INIT_STATUS,
HTTP_REQ_METHOD_STATUS,
HTTP_REQ_URL_STATUS,
HTTP_REQ_PARAMS_STATUS,
HTTP_REQ_VERSION_STATUS,
HTTP_REQ_HEADERS_STATUS,
HTTP_REQ_BODY_STATUS,
};
enum {
UNKNOWN_PROTO,
};
#define FIELD_BEGIN_IGNORE_CASE(a) field_begin(a, ignore_case)
#define SEARCH_HEADER_END_FLAG(dirn, field_val, limit, flag) \
field_flag(flag); \
SEARCH_HEADER_END(dirn, field_val, limit)
#define SEARCH_FLD_END(limit, delim) \
found_f_end = FALSE; \
skip(limit,delim); \
found_f_end = $?;
#define SEARCH_HEADER_END(dirn, field_val, limit) \
dirn ## _hdr_init(field_val); \
skip(limit, "\x 0a \x"); \
found_hdr_end = $?; \
dirn ## _hdr_end();
/*############################################################*/
/* zealot add
* 原xcode中没有对charset的详细处理为了能将http中不同不同
* 字符集的数据转换为同一的字符集编码特此添加这部分代码
curr_dir ## ".*;charset=" ignore_case :\
*/
/*############################################################*/
#define FIELD_CHARSET \
stc ".*; charset=" ignore_case :\
{\
charset_offset = $;\
skip(15,"\x0d 0a\x");\
if($?){\
if(($ - charset_offset-2) == 3){\
if((*($ - 5):24 == 0x67626b) || (*($ - 5):24 == 0x47424b)){\
charset = GBK;\
}\
}\
else if(($ - charset_offset-2) == 5){\
if(((*($ - 7):32 == 0x7574662d)||(*($ - 7):32 == 0x5554462d)) && (*($ - 3):8 == 0x38)){\
charset = UTF8;\
}\
else if(((*($ - 7):32 == 0x7574662d)||(*($ - 7):32 == 0x5554462d)) && (*($ - 3):8 == 0x37)){\
charset = UTF7;\
}\
\
}\
else if(($ - charset_offset-2) == 6){\
if(((*($ - 8):32 == 0x7574662d)||(*($ - 8):32 == 0x5554462d)) && (*($ - 4):16 == 0x3136)){\
charset = UTF16;\
}\
else if(((*($ - 8):32 == 0x7574662d)||(*($ - 8):32 == 0x5554462d))&&(*($ - 4):16 == 0x3332)) {\
charset = UTF32;\
}\
else if(((*($ - 8):16 == 0x6762)||(*($ - 8):16 == 0x4742)) && (*($ - 6):32 == 0x32333132)){\
charset = GB2312;\
}\
/*else if(((*($ - 8):32 == 0x62617365)||(*($ - 8):32 == 0x42415345))&&(*($ - 4):16 == 0x3634)){\
charset = BASE64;\
}*/\
}\
else if(($ - charset_offset-2) == 8){\
if(((*($ - 10):32 == 0x7574662d)||(*($ - 10):32 == 0x5554462d)) && (*($ - 6):16 == 0x3136)){\
if((*($ - 4):16 == 0x6265) || (*($ - 4):16 == 0x4245)){\
charset = UTF16BE;\
}\
else if((*($ - 4):16 == 0x6c65) || (*($ - 4):16 == 0x4c45)){\
charset = UTF16LE;\
}\
}\
else if(((*($ - 10):32 == 0x7574662d)||(*($ - 10):32 == 0x5554462d)) && (*($ - 6):16 == 0x3332)) {\
if((*($ - 4):16 == 0x6265) || (*($ - 4):16 == 0x4245)){\
charset = UTF32BE;\
}\
else if((*($ - 4):16 == 0x6c65) || (*($ - 4):16 == 0x4c45)){\
charset = UTF32LE;\
}\
}\
}\
else if(($ - charset_offset-2)