diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab3c3ae..52020f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+# Version 1.2.19 (15 June 2023)
+- minor update in rules 96,97 and 98 concerining HTTP2 attacks detection
+
+# Version 1.2.18 (03 June 2023)
+- Add security rule 98 to detect attacks concerning HTTP2
+- Add warning messages when DPI payload points to outside of packet data
+- Print timeval in alert messages
+
# Version 1.2.17 (17 May 2023)
- Add 2 security rules, 96, 97 to detect attacks concerning HTTP2
diff --git a/Makefile b/Makefile
index 1dd03f2..0fffcff 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ MMT_DPI_DIR := $(MMT_BASE)/dpi
#get git version abbrev
GIT_VERSION := $(shell git log --format="%h" -n 1)
-VERSION := 1.2.17
+VERSION := 1.2.19
CACHE_LINESIZE := 64 #$(shell getconf LEVEL1_DCACHE_LINESIZE)
diff --git a/francesco b/francesco
new file mode 100644
index 0000000..e69de29
diff --git a/rules/.93.corrupted_ngap.xml.swp b/rules/.93.corrupted_ngap.xml.swp
new file mode 100644
index 0000000..397ca60
Binary files /dev/null and b/rules/.93.corrupted_ngap.xml.swp differ
diff --git a/rules/96.http2_dos_recognition.xml b/rules/96.http2_dos_recognition.xml
index b826a43..d5f5fa2 100644
--- a/rules/96.http2_dos_recognition.xml
+++ b/rules/96.http2_dos_recognition.xml
@@ -58,10 +58,10 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
description="5G Http2 DoS attack Recognition">
+ boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130)) || (http2.type==8)) && (ip.src != ip.dst) )"/>
+ boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
diff --git a/rules/97.http2_compression_attack_recognition.xml b/rules/97.http2_compression_attack_recognition.xml
index 9e47467..d01edd3 100644
--- a/rules/97.http2_compression_attack_recognition.xml
+++ b/rules/97.http2_compression_attack_recognition.xml
@@ -14,23 +14,24 @@ Since http2 tends to merge multiple packets, an upper limit is also set so as no
#include "pre_embedded_functions.h"
-static int em_check( double header_length,double packet_id){
+static int em_check(
+ double header_length,double packet_id){
//printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
return 0;
-
}
+
]]>
+ description="5G Http2 Compression Attack" if_satisfied="">
+ description="Rule checks the dimension of the header length. If it is greater then a threshold an alert is launched"
+ boolean_expression="( ((http2.header_length>350) && (16384>http2.header_length ) && ( http2.header_method == 131)) && ( ip.src != ip.dst ) )"/>
+ description="Nothing"
+ boolean_expression="( http2.header_method != 0)"/>
diff --git a/rules/98.http2_payload_fuzzing.xml b/rules/98.http2_payload_fuzzing.xml
new file mode 100644
index 0000000..262fa81
--- /dev/null
+++ b/rules/98.http2_payload_fuzzing.xml
@@ -0,0 +1,45 @@
+
+
+
+
+#include
+#include
+#include "mmt_lib.h"
+
+static bool em_check_fuzzing(int payload_length, const char* payload, double packet_id){
+
+ //char*data;
+ //data=(char*)payload_data;
+ bool result=false;
+ for (int i = 9; i < payload_length; i++) {
+ //printf(" %02hhX ",payload[i]);
+ //printf(" %c",payload[i]);
+ if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%') || (payload[i]=='$')){
+ result=true;
+
+ // printf( " Rule 98:Recognized suspect fuzzing. Length %d %f\n",payload_length,packet_id);
+ break;
+ }
+ }
+ //printf("\n");
+ return result;
+}
+
+
+]]>
+
+
+
+
+
+
diff --git a/src/dpi/mmt_dpi.h b/src/dpi/mmt_dpi.h
index 814d663..5d602e1 100644
--- a/src/dpi/mmt_dpi.h
+++ b/src/dpi/mmt_dpi.h
@@ -1,4 +1,4 @@
-/* This code is generated automatically on 2023-05-05 11:55:39 using MMT-DPI v1.7.7 (bb5a7176). */
+/* This code is generated automatically on 2023-06-02 12:19:50 using MMT-DPI v1.7.8 (68bd7d93). */
/* If you want to modify something, goto /home/frank/mmt-security/src/main_gen_dpi.c */
#ifndef __MMT_SEC_DPI_H_
#define __MMT_SEC_DPI_H_
@@ -9783,6 +9783,6 @@ static inline long get_attribute_index( uint32_t p_id, uint32_t a_id ){
return -1;
}
static inline const char* mmt_version(){
- return "1.7.7 (bb5a7176)";
+ return "1.7.8 (68bd7d93)";
}
#endif //__MMT_SEC_DPI_H_
\ No newline at end of file
diff --git a/src/lib/dpi_message_t.h b/src/lib/dpi_message_t.h
index f56a072..8c4d6d0 100644
--- a/src/lib/dpi_message_t.h
+++ b/src/lib/dpi_message_t.h
@@ -55,8 +55,17 @@ static inline size_t dpi_get_payload_len(const ipacket_t * ipacket, uint32_t pro
//get header offset of the proto after #proto_id
if ( (i+1) <= ipacket->proto_hierarchy->len){
offset +=ipacket->proto_headers_offset->proto_path[i+1];
+ //this condition occurs only when we have bug in DPI
+ // as it indicates that the header of the next protocol is outside of the packet data
+ //However we check it anyway to ensure no error in mmt-security
+ //We also raise an alert
+ if( offset > ipacket->p_hdr->caplen ){
+ mmt_warn("In %"PRIu64"-th packet: incorrect header of %d-th protocol which is after the protocol having ID=%"PRIu32" is at %"PRIu32". "
+ "It is outside of packet as packet length=%"PRIu32".",
+ ipacket->packet_id, (i+1), proto_id, offset, ipacket->p_hdr->caplen );
+ return 0;
+ }
length = ipacket->p_hdr->caplen - offset;
-
return length;
}
return 0;
@@ -81,8 +90,18 @@ static inline size_t dpi_get_data_len( const ipacket_t * ipacket, uint32_t proto
for (i = 1; i < ipacket->proto_hierarchy->len; i++){
offset +=ipacket->proto_headers_offset->proto_path[i];
if ( ipacket->proto_hierarchy->proto_path[i] == proto_id ){
- length = ipacket->p_hdr->caplen - offset;
+ //this condition occurs only when we have bug in DPI
+ // as it indicates that the header of the next protocol is outside of the packet data
+ //However we check it anyway to ensure no error in mmt-security
+ //We also raise an alert
+ if( offset > ipacket->p_hdr->caplen ){
+ mmt_warn("In %"PRIu64"-th packet: incorrect header of %d-th protocol which has ID=%"PRIu32" is at %"PRIu32". "
+ "It is outside of packet as packet length=%"PRIu32".",
+ ipacket->packet_id, (i), proto_id, offset, ipacket->p_hdr->caplen );
+ return 0;
+ }
+ length = ipacket->p_hdr->caplen - offset;
return length;
}
}
diff --git a/src/lib/mmt_security.c b/src/lib/mmt_security.c
index 301b878..8fc346f 100644
--- a/src/lib/mmt_security.c
+++ b/src/lib/mmt_security.c
@@ -432,7 +432,7 @@ static const char* _convert_execution_trace_to_json_string( const mmt_array_t *t
const message_t *msg;
const message_element_t *me;
bool is_first;
- struct timeval time;
+ struct timeval time, *ptime;
const mmt_array_t *proto_atts_event; //proto_att of an event
const proto_attribute_t *pro_ptr;
double double_val;
@@ -535,6 +535,12 @@ static const char* _convert_execution_trace_to_json_string( const mmt_array_t *t
u8_ptr = NULL;
switch( pro_ptr->dpi_type ){
+ case MMT_DATA_TIMEVAL:
+ u8_ptr = (uint8_t *) me->data;
+ ptime = (struct timeval *) me->data;
+ size = snprintf(str_ptr, total_len, "%ld.%06ld",
+ ptime->tv_sec, ptime->tv_usec );
+ break;
case MMT_DATA_IP_NET: /**< ip network address constant value */
case MMT_DATA_IP_ADDR: /**< ip address constant value */
u8_ptr = (uint8_t *) me->data;