Merge pull request #10 from Montimage/francesco

Francesco
Montimage · Jun 15, 2023 · c59a88e · c59a88e
2 parents aee7ce4 + cf4360d
commit c59a88e
Show file tree

Hide file tree

Showing 8 changed files with 26 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+# Version 1.2.19 (15 June 2023)
+- minor update in rules 96,97 and 98 concerining HTTP2 attacks detection
+
 # Version 1.2.18 (03 June 2023)
 - Add security rule 98 to detect attacks concerning HTTP2
 - Add warning messages when DPI payload points to outside of packet data

diff --git a/Makefile b/Makefile
@@ -25,7 +25,7 @@ MMT_DPI_DIR := $(MMT_BASE)/dpi
 
 #get git version abbrev
 GIT_VERSION := $(shell git log --format="%h" -n 1)
-VERSION     := 1.2.18
+VERSION     := 1.2.19
 
 CACHE_LINESIZE := 64 #$(shell getconf LEVEL1_DCACHE_LINESIZE)
 

diff --git a/francesco b/francesco
diff --git a/rules/.93.corrupted_ngap.xml.swp b/rules/.93.corrupted_ngap.xml.swp
diff --git a/rules/96.http2_dos_recognition.xml b/rules/96.http2_dos_recognition.xml
@@ -58,10 +58,10 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
     description="5G Http2 DoS attack Recognition">
     <event value="COMPUTE" event_id="1" 
         description="HTTP2 check on the methods/ types that can realize a flooding"
-           boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
+        boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
 
    <event value="COMPUTE" event_id="2" 
         description="Calculate total"
-           boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
+        boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
 </property>
 </beginning>
diff --git a/rules/97.http2_compression_attack_recognition.xml b/rules/97.http2_compression_attack_recognition.xml
@@ -15,12 +15,11 @@ Since http2 tends to merge multiple packets, an upper limit is also set so as no
 
 
 static int em_check(
-	   double header_length,double packet_id){	
+	double header_length,double packet_id){	
 
- //  	printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
+	//printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
 	return 0;
-     	
-	}
+}
 
 
 ]]></embedded_functions>
@@ -29,10 +28,10 @@ static int em_check(
     description="5G Http2 Compression Attack" if_satisfied="">
     <event value="COMPUTE" event_id="1" 
         description="Rule checks the dimension of the header length. If it is greater then a threshold an alert is launched"
-           boolean_expression="( (http2.header_length>350) &amp;&amp; (16384>http2.header_length ) &amp;&amp; ( http2.header_method == 131)  )"/>
+        boolean_expression="( ((http2.header_length>350) &amp;&amp; (16384>http2.header_length ) &amp;&amp; ( http2.header_method == 131)) &amp;&amp; ( ip.src != ip.dst ) )"/>
 
  <event value="COMPUTE" event_id="2" 
-           description="Nothing"
-           boolean_expression="( http2.header_method != 0)"/>  
+        description="Nothing"
+        boolean_expression="( http2.header_method != 0)"/>  
 </property>
 </beginning>
diff --git a/rules/98.http2_payload_fuzzing.xml b/rules/98.http2_payload_fuzzing.xml
@@ -11,19 +11,19 @@ This rule analizes char by char in order to find unusual characters in the paylo
 #include <stdlib.h>
 #include "mmt_lib.h"
 
-static bool em_check_fuzzing(  int payload_length,const char* payload, double packet_id){
+static bool em_check_fuzzing(int payload_length, const char* payload, double packet_id){
 
 	//char*data;
 	//data=(char*)payload_data;
-
 	bool result=false;
-	
-	for (int i = 9; i < payload_length+9; i++) {
+	for (int i = 9; i < payload_length; i++) {
 		//printf("  %02hhX ",payload[i]);
-		  if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%')){
-				result=true;
-				//printf( " Rule 98:Recognized suspect fuzzing. Length %d  %f\n",payload_length,packet_id);
-				break;
+		//printf("  %c",payload[i]);
+		if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%') || (payload[i]=='$')){
+			result=true;
+
+			// printf( " Rule 98:Recognized suspect fuzzing. Length %d  %f\n",payload_length,packet_id);
+			 break;
 			}
 	}
 	//printf("\n");
@@ -36,10 +36,10 @@ static bool em_check_fuzzing(  int payload_length,const char* payload, double pa
 <property value="THEN"  property_id="98" type_property="ATTACK" 
     description="5G Http2 fuzzing Payload Recognition">
      <event value="COMPUTE" event_id="1" 
-           description="Nothing"
-           boolean_expression=" true"/>  
+        description="Nothing"
+        boolean_expression=" true"/>  
     <event value="COMPUTE" event_id="2" 
-           description="HTTP2 fuzzing"
-           boolean_expression="( ((( http2.header_method == 131)  &amp;&amp; #em_check_fuzzing(http2.payload_length, http2.p_payload,meta.packet_index))  &amp;&amp;(2800>meta.packet_len)) &amp;&amp; (ip.src != ip.dst))"/>
+        description="HTTP2 fuzzing"
+        boolean_expression="(  (( http2.header_method == 131)  &amp;&amp; #em_check_fuzzing(http2.payload_length , http2.p_payload,meta.packet_index) )  &amp;&amp; (ip.src != ip.dst))"/>
 </property>
 </beginning>
diff --git a/src/dpi/mmt_dpi.h b/src/dpi/mmt_dpi.h
@@ -1,4 +1,4 @@
-/* This code is generated automatically on 2023-05-05 11:55:39 using MMT-DPI v1.7.7 (bb5a7176). */
+/* This code is generated automatically on 2023-06-02 12:19:50 using MMT-DPI v1.7.8 (68bd7d93). */
 /* If you want to modify something, goto /home/frank/mmt-security/src/main_gen_dpi.c */
  #ifndef __MMT_SEC_DPI_H_
  #define __MMT_SEC_DPI_H_
@@ -9783,6 +9783,6 @@ static inline long get_attribute_index( uint32_t p_id, uint32_t a_id ){
 	return -1;
 }
  static inline const char* mmt_version(){
-    return "1.7.7 (bb5a7176)";
+    return "1.7.8 (68bd7d93)";
 }
 #endif //__MMT_SEC_DPI_H_