Uodated DOS threshold and removed size-packet condition

Montimage · Jun 7, 2023 · 10ed226 · 10ed226
1 parent 842e935
commit 10ed226
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 20 deletions.
diff --git a/rules/96.5g_http2_dos_recognition.xml b/rules/96.5g_http2_dos_recognition.xml
@@ -4,18 +4,6 @@
 If that variable is not declared a default value will be given.
 
 -->
-
-<property value="THEN" delay_units="ms" delay_min="0" delay_max="100" property_id="96" type_property="ATTACK" 
-    description="5G Http2 DoS attack Recognition">
-    <event value="COMPUTE" event_id="1" 
-        description="This rule checks on the methods/ types that can realize a flooding:post/get/window update"
-           boolean_expression="((( http2.header_method == 131) || (http2.header_method==130)  || (http2.type==8))  &amp;&amp; (ip.src != ip.dst))"/>
-
-   <event value="COMPUTE" event_id="2" 
-        description="Calculate total"
-           boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
-
-</property>
 <embedded_functions><![CDATA[
 #include <stdlib.h>
 #include <mmt_core.h>
@@ -66,4 +54,17 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
 	return (counter >= limit_5g_dos_http2_per_ms);
 }
 ]]></embedded_functions>
+
+<property value="THEN" delay_units="ms" delay_min="0" delay_max="100" property_id="96" type_property="ATTACK" 
+    description="5G Http2 DoS attack Recognition">
+    <event value="COMPUTE" event_id="1" 
+        description="This rule checks on the methods/ types that can realize a flooding:post/get/window update"
+           boolean_expression="((( http2.header_method == 131) || (http2.header_method==130)  || (http2.type==8))  &amp;&amp; (ip.src != ip.dst))"/>
+
+   <event value="COMPUTE" event_id="2" 
+        description="Calculate total"
+           boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
+
+</property>
+
 </beginning>
diff --git a/rules/97.http2_compression_attack_recognition.xml b/rules/97.http2_compression_attack_recognition.xml
@@ -0,0 +1,38 @@
+<beginning>
+<!-- 
+Compression attack involve the use of the compression in order to put a great amount of data in a single packet, in order to use a huge amount of 
+computational resources by the server after the decompression. In this case the rule checks the length of the packet. 
+Since http2 tends to merge multiple packets, an upper limit is also set so as not to confuse the attack with the coalescing operated by the protocol
+-->
+<embedded_functions><![CDATA[
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mmt_lib.h"
+#include "tcpip/mmt_tcpip_protocols.h"
+#include "pre_embedded_functions.h"
+
+
+static int em_check(
+	   double header_length,double packet_id){	
+
+ //  	printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
+	return 0;
+     	
+	}
+
+
+]]></embedded_functions>
+
+<property value="THEN"  property_id="97" type_property="ATTACK" 
+    description="5G Http2 Compression Attack" if_satisfied="">
+    <event value="COMPUTE" event_id="1" 
+        description="Rule checks the dimension of the header length. If it is greater then a threshold an alert is launched"
+           boolean_expression="( ((http2.header_length>350) &amp;&amp; (16384>http2.header_length ) &amp;&amp; ( http2.header_method == 131))||( ip.src != ip.dst ) )"/>
+
+ <event value="COMPUTE" event_id="2" 
+           description="Nothing"
+           boolean_expression="( http2.header_method != 0)"/>  
+</property>
+</beginning>
diff --git a/rules/98.http2_payload_fuzzing.xml b/rules/98.http2_payload_fuzzing.xml
@@ -19,15 +19,11 @@ static bool em_check_fuzzing(  int payload_length,const char* payload, double pa
 
 	//char*data;
 	//data=(char*)payload_data;
-
-
    	bool result=false;
-
-   	
    	for (int i = 9; i < payload_length+9; i++) {
    		//printf("  %02hhX ",payload[i]);
    		  // printf("  %c",payload[i]);
-    		  if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%')){
+    		  if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%') || (payload[i]=='$')){
     		  	result=true;
 
    		  	// printf( " Rule 98:Recognized suspect fuzzing. Length %d  %f\n",payload_length,packet_id);
@@ -36,9 +32,7 @@ static bool em_check_fuzzing(  int payload_length,const char* payload, double pa
 		
   	 }  
    	    		//  printf("\n");
-   
 	return result;
-  
 	}
 
 
@@ -51,7 +45,7 @@ static bool em_check_fuzzing(  int payload_length,const char* payload, double pa
            boolean_expression=" true"/>  
     <event value="COMPUTE" event_id="2" 
         description="HTTP2 fuzzing"
-           boolean_expression="(  (( http2.header_method == 131)  &amp;&amp; #em_check_fuzzing(http2.payload_length , http2.p_payload,meta.packet_index)  &amp;&amp;(2800>meta.packet_len))  &amp;&amp; (ip.src != ip.dst))"/>
+           boolean_expression="(  (( http2.header_method == 131)  &amp;&amp; #em_check_fuzzing(http2.payload_length , http2.p_payload,meta.packet_index) )  &amp;&amp; (ip.src != ip.dst))"/>
 
 
 </property>