http2: event on mismatch between authority and host

catenacyber · victorjulien · commit 46a46e5b1f49 · 2023-11-07T15:18:33.000+01:00
Ticket: OISF#6425
diff --git a/rules/http2-events.rules b/rules/http2-events.rules
@@ -18,3 +18,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 failed decompression"; flow:
 alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow:established; app-layer-event:http2.invalid_range; classtype:protocol-command-decode; sid:2290010; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 variable-length integer overflow"; flow:established; app-layer-event:http2.header_integer_overflow; classtype:protocol-command-decode; sid:2290011; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:established; app-layer-event:http2.too_many_streams; classtype:protocol-command-decode; sid:2290012; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
@@ -203,9 +203,25 @@ impl HTTP2Transaction {
     }
 
     fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) {
+        let mut authority = None;
+        let mut host = None;
         for block in blocks {
             if block.name == b"content-encoding" {
                 self.decoder.http2_encoding_fromvec(&block.value, dir);
+            } else if block.name.eq_ignore_ascii_case(b":authority") {
+                authority = Some(&block.value);
+            } else if block.name.eq_ignore_ascii_case(b"host") {
+                host = Some(&block.value);
+            }
+        }
+        if let Some(a) = authority {
+            if let Some(h) = host {
+                if !a.eq_ignore_ascii_case(h) {
+                    // The event is triggered only if both headers
+                    // are in the same frame to avoid excessive
+                    // complexity at runtime.
+                    self.set_event(HTTP2Event::AuthorityHostMismatch);
+                }
             }
         }
     }
@@ -383,6 +399,7 @@ pub enum HTTP2Event {
     InvalidRange,
     HeaderIntegerOverflow,
     TooManyStreams,
+    AuthorityHostMismatch,
 }
 
 pub struct HTTP2DynTable {
