diff --git a/rules/http2-events.rules b/rules/http2-events.rules index 868943a77bed..7cceaf24c307 100644 --- a/rules/http2-events.rules +++ b/rules/http2-events.rules @@ -19,3 +19,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 invalid range header"; flow: alert http2 any any -> any any (msg:"SURICATA HTTP2 variable-length integer overflow"; flow:established; app-layer-event:http2.header_integer_overflow; classtype:protocol-command-decode; sid:2290011; rev:1;) alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:established; app-layer-event:http2.too_many_streams; classtype:protocol-command-decode; sid:2290012; rev:1;) alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;) +alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;) diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs index bbaeddb40434..14d7b47dfb03 100644 --- a/rust/src/http2/http2.rs +++ b/rust/src/http2/http2.rs @@ -210,6 +210,11 @@ impl HTTP2Transaction { self.decoder.http2_encoding_fromvec(&block.value, dir); } else if block.name.eq_ignore_ascii_case(b":authority") { authority = Some(&block.value); + if block.value.iter().any(|&x| x == b'@') { + // it is forbidden by RFC 9113 to have userinfo in this field + // when in HTTP1 we can have user:password@domain.com + self.set_event(HTTP2Event::UserinfoInUri); + } } else if block.name.eq_ignore_ascii_case(b"host") { host = Some(&block.value); } @@ -400,6 +405,7 @@ pub enum HTTP2Event { HeaderIntegerOverflow, TooManyStreams, AuthorityHostMismatch, + UserinfoInUri, } pub struct HTTP2DynTable {