00001 //--------------------------------------------------------------------------
00002 // Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
00003 //
00004 // This program is free software; you can redistribute it and/or modify it
00005 // under the terms of the GNU General Public License Version 2 as published
00006 // by the Free Software Foundation. You may not use, modify or distribute
00007 // this program under any other version of the GNU General Public License.
00008 //
00009 // This program is distributed in the hope that it will be useful, but
00010 // WITHOUT ANY WARRANTY; without even the implied warranty of
00011 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
00012 // General Public License for more details.
00013 //
00014 // You should have received a copy of the GNU General Public License along
00015 // with this program; if not, write to the Free Software Foundation, Inc.,
00016 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
00017 //--------------------------------------------------------------------------
00018 // http_msg_start.cc author Tom Peters <thopeter@cisco.com>
00019
00020 #ifdef HAVE_CONFIG_H
00021 #include "config.h"
00022 #endif
00023
00024 #include "http_msg_start.h"
00025
00026 using namespace HttpEnums;
00027
00028 void HttpMsgStart::analyze()
00029 {
00030 start_line.set(msg_text);
00031 parse_start_line();
00032 }
00033
00034 void HttpMsgStart::derive_version_id()
00035 {
00036 if (version.start()[6] != '.')
00037 {
00038 version_id = VERS__PROBLEMATIC;
00039 add_infraction(INF_BAD_VERSION);
00040 create_event(EVENT_BAD_VERS);
00041 }
00042 else if ((version.start()[5] == '1') && (version.start()[7] == '1'))
00043 {
00044 version_id = VERS_1_1;
00045 }
00046 else if ((version.start()[5] == '1') && (version.start()[7] == '0'))
00047 {
00048 version_id = VERS_1_0;
00049 }
00050 else if ((version.start()[5] == '2') && (version.start()[7] == '0'))
00051 {
00052 version_id = VERS_2_0;
00053 }
00054 else if ((version.start()[5] == '0') && (version.start()[7] == '9'))
00055 {
00056 // Real 0.9 traffic would never be labeled HTTP/0.9 because 0.9 is older than the version
00057 // system. Aside from the possibility that someone might do this to make trouble,
00058 // HttpStreamSplitter::reassemble() converts 0.9 responses to a simple form of 1.0 format
00059 // to allow us to process 0.9 without a lot of extra development. Such responses are
00060 // labeled 0.9.
00061 // FIXIT-M the 0.9 trick opens the door to someone spoofing us with a real start line
00062 // labeled HTTP/0.9. Need to close this weakness.
00063 // FIXIT-M similarly is "HTTP/2.0" a legitimate thing we could actually see? Or would real
00064 // HTTP 2.0 traffic not look like that? Possibly relabeled 1.1 by the down conversion
00065 // software. Need to research and resolve this issue.
00066 version_id = VERS_0_9;
00067 }
00068 else if ((version.start()[5] >= '0') && (version.start()[5] <= '9') &&
00069 (version.start()[7] >= '0') && (version.start()[7] <= '9'))
00070 {
00071 version_id = VERS__OTHER;
00072 add_infraction(INF_UNKNOWN_VERSION);
00073 create_event(EVENT_UNKNOWN_VERS);
00074 }
00075 else
00076 {
00077 version_id = VERS__PROBLEMATIC;
00078 add_infraction(INF_BAD_VERSION);
00079 create_event(EVENT_BAD_VERS);
00080 }
00081 }
00082
END OF CODE